VYPR

rpm package

almalinux/apache-commons-collections

pkg:rpm/almalinux/apache-commons-collections

Vulnerabilities (14)

  • CVE-2025-52999HigJun 25, 2025
    affected < 3.2.2-10.module_el8.5.0+2577+9e95fe00fixed 3.2.2-10.module_el8.5.0+2577+9e95fe00

    jackson-core contains core low-level incremental ("streaming") parser and generator abstractions used by Jackson Data Processor. In versions prior to 2.15.0, if a user parses an input file and it has deeply nested data, Jackson could end up throwing a StackoverflowError if the de

  • CVE-2025-48734May 28, 2025
    affected < 3.2.2-10.module_el8.0.0+6004+2fc32706fixed 3.2.2-10.module_el8.0.0+6004+2fc32706

    Improper Access Control vulnerability in Apache Commons. A special BeanIntrospector class was added in version 1.9.2. This can be used to stop attackers from using the declared class property of Java enum objects to get access to the classloader. However this protection was no

  • CVE-2020-36518Mar 11, 2022
    affected < 3.2.2-10.module_el8.5.0+2577+9e95fe00fixed 3.2.2-10.module_el8.5.0+2577+9e95fe00

    jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects.

  • CVE-2019-17531Oct 12, 2019
    affected < 3.2.2-10.module_el8.5.0+2577+9e95fe00fixed 3.2.2-10.module_el8.5.0+2577+9e95fe00

    A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the apache-log4j-extra (version 1.2.x) jar in the

  • CVE-2019-16943Oct 1, 2019
    affected < 3.2.2-10.module_el8.5.0+2577+9e95fe00fixed 3.2.2-10.module_el8.5.0+2577+9e95fe00

    A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the p6spy (3.8.6) jar in the classpath, and an att

  • CVE-2019-16942Oct 1, 2019
    affected < 3.2.2-10.module_el8.5.0+2577+9e95fe00fixed 3.2.2-10.module_el8.5.0+2577+9e95fe00

    A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the commons-dbcp (1.4) jar in the classpath, and a

  • CVE-2019-16335Sep 15, 2019
    affected < 3.2.2-10.module_el8.5.0+2577+9e95fe00fixed 3.2.2-10.module_el8.5.0+2577+9e95fe00

    A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariDataSource. This is a different vulnerability than CVE-2019-14540.

  • CVE-2019-14540Sep 15, 2019
    affected < 3.2.2-10.module_el8.5.0+2577+9e95fe00fixed 3.2.2-10.module_el8.5.0+2577+9e95fe00

    A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariConfig.

  • CVE-2019-10086Aug 20, 2019
    affected < 3.2.2-10.module_el8.0.0+6004+2fc32706fixed 3.2.2-10.module_el8.0.0+6004+2fc32706

    In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for an attacker to access the classloader via the class property available on all Java objects. We, however were not using this by default characteristic of the Prop

  • CVE-2019-12384Jun 24, 2019
    affected < 3.2.2-10.module_el8.5.0+2577+9e95fe00fixed 3.2.2-10.module_el8.5.0+2577+9e95fe00

    FasterXML jackson-databind 2.x before 2.9.9.1 might allow attackers to have a variety of impacts by leveraging failure to block the logback-core class from polymorphic deserialization. Depending on the classpath content, remote code execution may be possible.

  • CVE-2018-11784Oct 4, 2018
    affected < 3.2.2-10.module_el8.5.0+2577+9e95fe00fixed 3.2.2-10.module_el8.5.0+2577+9e95fe00

    When the default servlet in Apache Tomcat versions 9.0.0.M1 to 9.0.11, 8.5.0 to 8.5.33 and 7.0.23 to 7.0.90 returned a redirect to a directory (e.g. redirecting to '/foo/' when the user requested '/foo') a specially crafted URL could be used to cause the redirect to be generated

  • CVE-2018-8037Aug 2, 2018
    affected < 3.2.2-10.module_el8.5.0+2577+9e95fe00fixed 3.2.2-10.module_el8.5.0+2577+9e95fe00

    If an async request was completed by the application at the same time as the container triggered the async timeout, a race condition existed that could result in a user seeing a response intended for a different user. An additional issue was present in the NIO and NIO2 connectors

  • CVE-2018-8034Aug 1, 2018
    affected < 3.2.2-10.module_el8.5.0+2577+9e95fe00fixed 3.2.2-10.module_el8.5.0+2577+9e95fe00

    The host name verification when using TLS with the WebSocket client was missing. It is now enabled by default. Versions Affected: Apache Tomcat 9.0.0.M1 to 9.0.9, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, and 7.0.35 to 7.0.88.

  • CVE-2018-8014May 16, 2018
    affected < 3.2.2-10.module_el8.5.0+2577+9e95fe00fixed 3.2.2-10.module_el8.5.0+2577+9e95fe00

    The defaults settings for the CORS filter provided in Apache Tomcat 9.0.0.M1 to 9.0.8, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, 7.0.41 to 7.0.88 are insecure and enable 'supportsCredentials' for all origins. It is expected that users of the CORS filter will have configured it approp