apk package
chainguard/hive-compat
pkg:apk/chainguard/hive-compat
Vulnerabilities (40)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2020-13956 | — | < 4.0.1-r1 | 4.0.1-r1 | Dec 2, 2020 | Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can misinterpret malformed authority component in request URIs passed to the library as java.net.URI object and pick the wrong target host for request execution. | ||
| CVE-2020-14195 | — | < 4.0.1-r1 | 4.0.1-r1 | Jun 16, 2020 | FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to org.jsecurity.realm.jndi.JndiRealmFactory (aka org.jsecurity). | ||
| CVE-2020-14060 | Hig | 8.1 | < 4.0.1-r1 | 4.0.1-r1 | Jun 14, 2020 | FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.xalan.lib.sql.JNDIConnectionPool (aka apache/drill). | |
| CVE-2020-14062 | Hig | 8.1 | < 4.0.1-r1 | 4.0.1-r1 | Jun 14, 2020 | FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to com.sun.org.apache.xalan.internal.lib.sql.JNDIConnectionPool (aka xalan2). | |
| CVE-2020-14061 | — | < 4.0.1-r1 | 4.0.1-r1 | Jun 14, 2020 | FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oracle.jms.AQjmsQueueConnectionFactory, oracle.jms.AQjmsXATopicConnectionFactory, oracle.jms.AQjmsTopicConnectionFactory, oracle.jms.AQjmsXAQueueConnecti | ||
| CVE-2020-11619 | Hig | 8.1 | < 4.0.1-r1 | 4.0.1-r1 | Apr 7, 2020 | FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.springframework.aop.config.MethodLocatingFactoryBean (aka spring-aop). | |
| CVE-2020-11620 | — | < 4.0.1-r1 | 4.0.1-r1 | Apr 7, 2020 | FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.jelly.impl.Embedded (aka commons-jelly). | ||
| CVE-2020-11113 | Hig | 8.8 | < 4.0.1-r1 | 4.0.1-r1 | Mar 31, 2020 | FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.openjpa.ee.WASRegistryManagedRuntime (aka openjpa). | |
| CVE-2020-11112 | Hig | 8.8 | < 4.0.1-r1 | 4.0.1-r1 | Mar 31, 2020 | FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.proxy.provider.remoting.RmiProvider (aka apache/commons-proxy). | |
| CVE-2020-11111 | — | < 4.0.1-r1 | 4.0.1-r1 | Mar 31, 2020 | FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.activemq.* (aka activemq-jms, activemq-core, activemq-pool, and activemq-pool-jms). | ||
| CVE-2020-10968 | — | < 4.0.1-r1 | 4.0.1-r1 | Mar 26, 2020 | FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.aoju.bus.proxy.provider.remoting.RmiProvider (aka bus-proxy). | ||
| CVE-2020-10969 | — | < 4.0.1-r1 | 4.0.1-r1 | Mar 26, 2020 | FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to javax.swing.JEditorPane. | ||
| CVE-2020-10672 | — | < 4.0.1-r1 | 4.0.1-r1 | Mar 18, 2020 | FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.aries.transaction.jms.internal.XaPooledConnectionFactory (aka aries.transaction.jms). | ||
| CVE-2019-14893 | — | < 4.0.1-r1 | 4.0.1-r1 | Mar 2, 2020 | A flaw was discovered in FasterXML jackson-databind in all versions before 2.9.10 and 2.10.0, where it would permit polymorphic deserialization of malicious objects using the xalan JNDI gadget when used in conjunction with polymorphic type handling methods such as `enableDefaultT | ||
| CVE-2020-9546 | Cri | 9.8 | < 4.0.1-r1 | 4.0.1-r1 | Mar 2, 2020 | FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig (aka shaded hikari-config). | |
| CVE-2018-12023 | — | < 4.0.1-r1 | 4.0.1-r1 | Mar 17, 2019 | An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Oracle JDBC jar in the classpath, and an attacker can provide an LDAP service to access, i | ||
| CVE-2018-19361 | — | < 4.0.1-r1 | 4.0.1-r1 | Jan 2, 2019 | FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the openjpa class from polymorphic deserialization. | ||
| CVE-2018-19360 | — | < 4.0.1-r1 | 4.0.1-r1 | Jan 2, 2019 | FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the axis2-transport-jms class from polymorphic deserialization. | ||
| CVE-2018-14721 | — | < 4.0.1-r1 | 4.0.1-r1 | Jan 2, 2019 | FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct server-side request forgery (SSRF) attacks by leveraging failure to block the axis2-jaxws class from polymorphic deserialization. | ||
| CVE-2018-14720 | — | < 4.0.1-r1 | 4.0.1-r1 | Jan 2, 2019 | FasterXML jackson-databind 2.x before 2.9.7 might allow attackers to conduct external XML entity (XXE) attacks by leveraging failure to block unspecified JDK classes from polymorphic deserialization. |
- CVE-2020-13956Dec 2, 2020affected < 4.0.1-r1fixed 4.0.1-r1
Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can misinterpret malformed authority component in request URIs passed to the library as java.net.URI object and pick the wrong target host for request execution.
- CVE-2020-14195Jun 16, 2020affected < 4.0.1-r1fixed 4.0.1-r1
FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to org.jsecurity.realm.jndi.JndiRealmFactory (aka org.jsecurity).
- affected < 4.0.1-r1fixed 4.0.1-r1
FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.xalan.lib.sql.JNDIConnectionPool (aka apache/drill).
- affected < 4.0.1-r1fixed 4.0.1-r1
FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to com.sun.org.apache.xalan.internal.lib.sql.JNDIConnectionPool (aka xalan2).
- CVE-2020-14061Jun 14, 2020affected < 4.0.1-r1fixed 4.0.1-r1
FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oracle.jms.AQjmsQueueConnectionFactory, oracle.jms.AQjmsXATopicConnectionFactory, oracle.jms.AQjmsTopicConnectionFactory, oracle.jms.AQjmsXAQueueConnecti
- affected < 4.0.1-r1fixed 4.0.1-r1
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.springframework.aop.config.MethodLocatingFactoryBean (aka spring-aop).
- CVE-2020-11620Apr 7, 2020affected < 4.0.1-r1fixed 4.0.1-r1
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.jelly.impl.Embedded (aka commons-jelly).
- affected < 4.0.1-r1fixed 4.0.1-r1
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.openjpa.ee.WASRegistryManagedRuntime (aka openjpa).
- affected < 4.0.1-r1fixed 4.0.1-r1
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.proxy.provider.remoting.RmiProvider (aka apache/commons-proxy).
- CVE-2020-11111Mar 31, 2020affected < 4.0.1-r1fixed 4.0.1-r1
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.activemq.* (aka activemq-jms, activemq-core, activemq-pool, and activemq-pool-jms).
- CVE-2020-10968Mar 26, 2020affected < 4.0.1-r1fixed 4.0.1-r1
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.aoju.bus.proxy.provider.remoting.RmiProvider (aka bus-proxy).
- CVE-2020-10969Mar 26, 2020affected < 4.0.1-r1fixed 4.0.1-r1
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to javax.swing.JEditorPane.
- CVE-2020-10672Mar 18, 2020affected < 4.0.1-r1fixed 4.0.1-r1
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.aries.transaction.jms.internal.XaPooledConnectionFactory (aka aries.transaction.jms).
- CVE-2019-14893Mar 2, 2020affected < 4.0.1-r1fixed 4.0.1-r1
A flaw was discovered in FasterXML jackson-databind in all versions before 2.9.10 and 2.10.0, where it would permit polymorphic deserialization of malicious objects using the xalan JNDI gadget when used in conjunction with polymorphic type handling methods such as `enableDefaultT
- affected < 4.0.1-r1fixed 4.0.1-r1
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig (aka shaded hikari-config).
- CVE-2018-12023Mar 17, 2019affected < 4.0.1-r1fixed 4.0.1-r1
An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Oracle JDBC jar in the classpath, and an attacker can provide an LDAP service to access, i
- CVE-2018-19361Jan 2, 2019affected < 4.0.1-r1fixed 4.0.1-r1
FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the openjpa class from polymorphic deserialization.
- CVE-2018-19360Jan 2, 2019affected < 4.0.1-r1fixed 4.0.1-r1
FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the axis2-transport-jms class from polymorphic deserialization.
- CVE-2018-14721Jan 2, 2019affected < 4.0.1-r1fixed 4.0.1-r1
FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct server-side request forgery (SSRF) attacks by leveraging failure to block the axis2-jaxws class from polymorphic deserialization.
- CVE-2018-14720Jan 2, 2019affected < 4.0.1-r1fixed 4.0.1-r1
FasterXML jackson-databind 2.x before 2.9.7 might allow attackers to conduct external XML entity (XXE) attacks by leveraging failure to block unspecified JDK classes from polymorphic deserialization.
Page 2 of 2