VYPR

apk package

chainguard/hive-compat

pkg:apk/chainguard/hive-compat

Vulnerabilities (40)

  • CVE-2020-13956Dec 2, 2020
    affected < 4.0.1-r1fixed 4.0.1-r1

    Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can misinterpret malformed authority component in request URIs passed to the library as java.net.URI object and pick the wrong target host for request execution.

  • CVE-2020-14195Jun 16, 2020
    affected < 4.0.1-r1fixed 4.0.1-r1

    FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to org.jsecurity.realm.jndi.JndiRealmFactory (aka org.jsecurity).

  • CVE-2020-14060HigJun 14, 2020
    affected < 4.0.1-r1fixed 4.0.1-r1

    FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.xalan.lib.sql.JNDIConnectionPool (aka apache/drill).

  • CVE-2020-14062HigJun 14, 2020
    affected < 4.0.1-r1fixed 4.0.1-r1

    FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to com.sun.org.apache.xalan.internal.lib.sql.JNDIConnectionPool (aka xalan2).

  • CVE-2020-14061Jun 14, 2020
    affected < 4.0.1-r1fixed 4.0.1-r1

    FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oracle.jms.AQjmsQueueConnectionFactory, oracle.jms.AQjmsXATopicConnectionFactory, oracle.jms.AQjmsTopicConnectionFactory, oracle.jms.AQjmsXAQueueConnecti

  • CVE-2020-11619HigApr 7, 2020
    affected < 4.0.1-r1fixed 4.0.1-r1

    FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.springframework.aop.config.MethodLocatingFactoryBean (aka spring-aop).

  • CVE-2020-11620Apr 7, 2020
    affected < 4.0.1-r1fixed 4.0.1-r1

    FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.jelly.impl.Embedded (aka commons-jelly).

  • CVE-2020-11113HigMar 31, 2020
    affected < 4.0.1-r1fixed 4.0.1-r1

    FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.openjpa.ee.WASRegistryManagedRuntime (aka openjpa).

  • CVE-2020-11112HigMar 31, 2020
    affected < 4.0.1-r1fixed 4.0.1-r1

    FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.proxy.provider.remoting.RmiProvider (aka apache/commons-proxy).

  • CVE-2020-11111Mar 31, 2020
    affected < 4.0.1-r1fixed 4.0.1-r1

    FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.activemq.* (aka activemq-jms, activemq-core, activemq-pool, and activemq-pool-jms).

  • CVE-2020-10968Mar 26, 2020
    affected < 4.0.1-r1fixed 4.0.1-r1

    FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.aoju.bus.proxy.provider.remoting.RmiProvider (aka bus-proxy).

  • CVE-2020-10969Mar 26, 2020
    affected < 4.0.1-r1fixed 4.0.1-r1

    FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to javax.swing.JEditorPane.

  • CVE-2020-10672Mar 18, 2020
    affected < 4.0.1-r1fixed 4.0.1-r1

    FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.aries.transaction.jms.internal.XaPooledConnectionFactory (aka aries.transaction.jms).

  • CVE-2019-14893Mar 2, 2020
    affected < 4.0.1-r1fixed 4.0.1-r1

    A flaw was discovered in FasterXML jackson-databind in all versions before 2.9.10 and 2.10.0, where it would permit polymorphic deserialization of malicious objects using the xalan JNDI gadget when used in conjunction with polymorphic type handling methods such as `enableDefaultT

  • CVE-2020-9546CriMar 2, 2020
    affected < 4.0.1-r1fixed 4.0.1-r1

    FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig (aka shaded hikari-config).

  • CVE-2018-12023Mar 17, 2019
    affected < 4.0.1-r1fixed 4.0.1-r1

    An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Oracle JDBC jar in the classpath, and an attacker can provide an LDAP service to access, i

  • CVE-2018-19361Jan 2, 2019
    affected < 4.0.1-r1fixed 4.0.1-r1

    FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the openjpa class from polymorphic deserialization.

  • CVE-2018-19360Jan 2, 2019
    affected < 4.0.1-r1fixed 4.0.1-r1

    FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the axis2-transport-jms class from polymorphic deserialization.

  • CVE-2018-14721Jan 2, 2019
    affected < 4.0.1-r1fixed 4.0.1-r1

    FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct server-side request forgery (SSRF) attacks by leveraging failure to block the axis2-jaxws class from polymorphic deserialization.

  • CVE-2018-14720Jan 2, 2019
    affected < 4.0.1-r1fixed 4.0.1-r1

    FasterXML jackson-databind 2.x before 2.9.7 might allow attackers to conduct external XML entity (XXE) attacks by leveraging failure to block unspecified JDK classes from polymorphic deserialization.

Page 2 of 2