apk package
chainguard/hive
pkg:apk/chainguard/hive
Vulnerabilities (40)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2020-13956 | Med | 5.3 | < 4.0.1-r1 | 4.0.1-r1 | Dec 2, 2020 | Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can misinterpret malformed authority component in request URIs passed to the library as java.net.URI object and pick the wrong target host for request execution. | |
| CVE-2020-14195 | Hig | 8.1 | < 4.0.1-r1 | 4.0.1-r1 | Jun 16, 2020 | FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to org.jsecurity.realm.jndi.JndiRealmFactory (aka org.jsecurity). | |
| CVE-2020-14060 | Hig | 8.1 | < 4.0.1-r1 | 4.0.1-r1 | Jun 14, 2020 | FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.xalan.lib.sql.JNDIConnectionPool (aka apache/drill). | |
| CVE-2020-14062 | Hig | 8.1 | < 4.0.1-r1 | 4.0.1-r1 | Jun 14, 2020 | FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to com.sun.org.apache.xalan.internal.lib.sql.JNDIConnectionPool (aka xalan2). | |
| CVE-2020-14061 | Hig | 8.1 | < 4.0.1-r1 | 4.0.1-r1 | Jun 14, 2020 | FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oracle.jms.AQjmsQueueConnectionFactory, oracle.jms.AQjmsXATopicConnectionFactory, oracle.jms.AQjmsTopicConnectionFactory, oracle.jms.AQjmsXAQueueConnecti | |
| CVE-2020-11620 | Hig | 8.1 | < 4.0.1-r1 | 4.0.1-r1 | Apr 7, 2020 | FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.jelly.impl.Embedded (aka commons-jelly). | |
| CVE-2020-11619 | Hig | 8.1 | < 4.0.1-r1 | 4.0.1-r1 | Apr 7, 2020 | FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.springframework.aop.config.MethodLocatingFactoryBean (aka spring-aop). | |
| CVE-2020-11113 | Hig | 8.8 | < 4.0.1-r1 | 4.0.1-r1 | Mar 31, 2020 | FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.openjpa.ee.WASRegistryManagedRuntime (aka openjpa). | |
| CVE-2020-11112 | Hig | 8.8 | < 4.0.1-r1 | 4.0.1-r1 | Mar 31, 2020 | FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.proxy.provider.remoting.RmiProvider (aka apache/commons-proxy). | |
| CVE-2020-11111 | Hig | 8.8 | < 4.0.1-r1 | 4.0.1-r1 | Mar 31, 2020 | FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.activemq.* (aka activemq-jms, activemq-core, activemq-pool, and activemq-pool-jms). | |
| CVE-2020-10969 | Hig | 8.8 | < 4.0.1-r1 | 4.0.1-r1 | Mar 26, 2020 | FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to javax.swing.JEditorPane. | |
| CVE-2020-10968 | Hig | 8.8 | < 4.0.1-r1 | 4.0.1-r1 | Mar 26, 2020 | FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.aoju.bus.proxy.provider.remoting.RmiProvider (aka bus-proxy). | |
| CVE-2020-10672 | Hig | 8.8 | < 4.0.1-r1 | 4.0.1-r1 | Mar 18, 2020 | FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.aries.transaction.jms.internal.XaPooledConnectionFactory (aka aries.transaction.jms). | |
| CVE-2019-14893 | Cri | 9.8 | < 4.0.1-r1 | 4.0.1-r1 | Mar 2, 2020 | A flaw was discovered in FasterXML jackson-databind in all versions before 2.9.10 and 2.10.0, where it would permit polymorphic deserialization of malicious objects using the xalan JNDI gadget when used in conjunction with polymorphic type handling methods such as `enableDefaultT | |
| CVE-2020-9546 | Cri | 9.8 | < 4.0.1-r1 | 4.0.1-r1 | Mar 2, 2020 | FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig (aka shaded hikari-config). | |
| CVE-2018-12023 | Hig | 7.5 | < 4.0.1-r1 | 4.0.1-r1 | Mar 21, 2019 | An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Oracle JDBC jar in the classpath, and an attacker can provide an LDAP service to access, i | |
| CVE-2018-19361 | Cri | 9.8 | < 4.0.1-r1 | 4.0.1-r1 | Jan 2, 2019 | FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the openjpa class from polymorphic deserialization. | |
| CVE-2018-19360 | Cri | 9.8 | < 4.0.1-r1 | 4.0.1-r1 | Jan 2, 2019 | FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the axis2-transport-jms class from polymorphic deserialization. | |
| CVE-2018-14721 | Cri | 10.0 | < 4.0.1-r1 | 4.0.1-r1 | Jan 2, 2019 | FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct server-side request forgery (SSRF) attacks by leveraging failure to block the axis2-jaxws class from polymorphic deserialization. | |
| CVE-2018-14720 | Cri | 9.8 | < 4.0.1-r1 | 4.0.1-r1 | Jan 2, 2019 | FasterXML jackson-databind 2.x before 2.9.7 might allow attackers to conduct external XML entity (XXE) attacks by leveraging failure to block unspecified JDK classes from polymorphic deserialization. |
- affected < 4.0.1-r1fixed 4.0.1-r1
Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can misinterpret malformed authority component in request URIs passed to the library as java.net.URI object and pick the wrong target host for request execution.
- affected < 4.0.1-r1fixed 4.0.1-r1
FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to org.jsecurity.realm.jndi.JndiRealmFactory (aka org.jsecurity).
- affected < 4.0.1-r1fixed 4.0.1-r1
FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.xalan.lib.sql.JNDIConnectionPool (aka apache/drill).
- affected < 4.0.1-r1fixed 4.0.1-r1
FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to com.sun.org.apache.xalan.internal.lib.sql.JNDIConnectionPool (aka xalan2).
- affected < 4.0.1-r1fixed 4.0.1-r1
FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oracle.jms.AQjmsQueueConnectionFactory, oracle.jms.AQjmsXATopicConnectionFactory, oracle.jms.AQjmsTopicConnectionFactory, oracle.jms.AQjmsXAQueueConnecti
- affected < 4.0.1-r1fixed 4.0.1-r1
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.jelly.impl.Embedded (aka commons-jelly).
- affected < 4.0.1-r1fixed 4.0.1-r1
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.springframework.aop.config.MethodLocatingFactoryBean (aka spring-aop).
- affected < 4.0.1-r1fixed 4.0.1-r1
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.openjpa.ee.WASRegistryManagedRuntime (aka openjpa).
- affected < 4.0.1-r1fixed 4.0.1-r1
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.proxy.provider.remoting.RmiProvider (aka apache/commons-proxy).
- affected < 4.0.1-r1fixed 4.0.1-r1
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.activemq.* (aka activemq-jms, activemq-core, activemq-pool, and activemq-pool-jms).
- affected < 4.0.1-r1fixed 4.0.1-r1
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to javax.swing.JEditorPane.
- affected < 4.0.1-r1fixed 4.0.1-r1
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.aoju.bus.proxy.provider.remoting.RmiProvider (aka bus-proxy).
- affected < 4.0.1-r1fixed 4.0.1-r1
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.aries.transaction.jms.internal.XaPooledConnectionFactory (aka aries.transaction.jms).
- affected < 4.0.1-r1fixed 4.0.1-r1
A flaw was discovered in FasterXML jackson-databind in all versions before 2.9.10 and 2.10.0, where it would permit polymorphic deserialization of malicious objects using the xalan JNDI gadget when used in conjunction with polymorphic type handling methods such as `enableDefaultT
- affected < 4.0.1-r1fixed 4.0.1-r1
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig (aka shaded hikari-config).
- affected < 4.0.1-r1fixed 4.0.1-r1
An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Oracle JDBC jar in the classpath, and an attacker can provide an LDAP service to access, i
- affected < 4.0.1-r1fixed 4.0.1-r1
FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the openjpa class from polymorphic deserialization.
- affected < 4.0.1-r1fixed 4.0.1-r1
FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the axis2-transport-jms class from polymorphic deserialization.
- affected < 4.0.1-r1fixed 4.0.1-r1
FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct server-side request forgery (SSRF) attacks by leveraging failure to block the axis2-jaxws class from polymorphic deserialization.
- affected < 4.0.1-r1fixed 4.0.1-r1
FasterXML jackson-databind 2.x before 2.9.7 might allow attackers to conduct external XML entity (XXE) attacks by leveraging failure to block unspecified JDK classes from polymorphic deserialization.
Page 2 of 2