rpm package

almalinux/apache-commons-lang

pkg:rpm/almalinux/apache-commons-lang

Vulnerabilities (14)

CVE	Sev	CVSS	Affected versions	Fixed in	Published	Description
CVE-2025-52999	Hig	—	< 2.6-21.module_el8.5.0+2577+9e95fe00	2.6-21.module_el8.5.0+2577+9e95fe00	Jun 25, 2025	jackson-core contains core low-level incremental ("streaming") parser and generator abstractions used by Jackson Data Processor. In versions prior to 2.15.0, if a user parses an input file and it has deeply nested data, Jackson could end up throwing a StackoverflowError if the de
CVE-2025-48734		—	< 2.6-21.module_el8.0.0+6004+2fc32706	2.6-21.module_el8.0.0+6004+2fc32706	May 28, 2025	Improper Access Control vulnerability in Apache Commons. A special BeanIntrospector class was added in version 1.9.2. This can be used to stop attackers from using the declared class property of Java enum objects to get access to the classloader. However this protection was no
CVE-2020-36518		—	< 2.6-21.module_el8.5.0+2577+9e95fe00	2.6-21.module_el8.5.0+2577+9e95fe00	Mar 11, 2022	jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects.
CVE-2019-17531		—	< 2.6-21.module_el8.5.0+2577+9e95fe00	2.6-21.module_el8.5.0+2577+9e95fe00	Oct 12, 2019	A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the apache-log4j-extra (version 1.2.x) jar in the
CVE-2019-16943		—	< 2.6-21.module_el8.5.0+2577+9e95fe00	2.6-21.module_el8.5.0+2577+9e95fe00	Oct 1, 2019	A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the p6spy (3.8.6) jar in the classpath, and an att
CVE-2019-16942		—	< 2.6-21.module_el8.5.0+2577+9e95fe00	2.6-21.module_el8.5.0+2577+9e95fe00	Oct 1, 2019	A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the commons-dbcp (1.4) jar in the classpath, and a
CVE-2019-16335		—	< 2.6-21.module_el8.5.0+2577+9e95fe00	2.6-21.module_el8.5.0+2577+9e95fe00	Sep 15, 2019	A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariDataSource. This is a different vulnerability than CVE-2019-14540.
CVE-2019-14540		—	< 2.6-21.module_el8.5.0+2577+9e95fe00	2.6-21.module_el8.5.0+2577+9e95fe00	Sep 15, 2019	A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariConfig.
CVE-2019-10086		—	< 2.6-21.module_el8.0.0+6004+2fc32706	2.6-21.module_el8.0.0+6004+2fc32706	Aug 20, 2019	In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for an attacker to access the classloader via the class property available on all Java objects. We, however were not using this by default characteristic of the Prop
CVE-2019-12384		—	< 2.6-21.module_el8.5.0+150+5f0dbea0	2.6-21.module_el8.5.0+150+5f0dbea0	Jun 24, 2019	FasterXML jackson-databind 2.x before 2.9.9.1 might allow attackers to have a variety of impacts by leveraging failure to block the logback-core class from polymorphic deserialization. Depending on the classpath content, remote code execution may be possible.
CVE-2018-11784		—	< 2.6-21.module_el8.5.0+150+5f0dbea0	2.6-21.module_el8.5.0+150+5f0dbea0	Oct 4, 2018	When the default servlet in Apache Tomcat versions 9.0.0.M1 to 9.0.11, 8.5.0 to 8.5.33 and 7.0.23 to 7.0.90 returned a redirect to a directory (e.g. redirecting to '/foo/' when the user requested '/foo') a specially crafted URL could be used to cause the redirect to be generated
CVE-2018-8037		—	< 2.6-21.module_el8.5.0+150+5f0dbea0	2.6-21.module_el8.5.0+150+5f0dbea0	Aug 2, 2018	If an async request was completed by the application at the same time as the container triggered the async timeout, a race condition existed that could result in a user seeing a response intended for a different user. An additional issue was present in the NIO and NIO2 connectors
CVE-2018-8034		—	< 2.6-21.module_el8.5.0+150+5f0dbea0	2.6-21.module_el8.5.0+150+5f0dbea0	Aug 1, 2018	The host name verification when using TLS with the WebSocket client was missing. It is now enabled by default. Versions Affected: Apache Tomcat 9.0.0.M1 to 9.0.9, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, and 7.0.35 to 7.0.88.
CVE-2018-8014		—	< 2.6-21.module_el8.5.0+150+5f0dbea0	2.6-21.module_el8.5.0+150+5f0dbea0	May 16, 2018	The defaults settings for the CORS filter provided in Apache Tomcat 9.0.0.M1 to 9.0.8, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, 7.0.41 to 7.0.88 are insecure and enable 'supportsCredentials' for all origins. It is expected that users of the CORS filter will have configured it approp

CVE-2025-52999HigJun 25, 2025
affected < 2.6-21.module_el8.5.0+2577+9e95fe00fixed 2.6-21.module_el8.5.0+2577+9e95fe00
jackson-core contains core low-level incremental ("streaming") parser and generator abstractions used by Jackson Data Processor. In versions prior to 2.15.0, if a user parses an input file and it has deeply nested data, Jackson could end up throwing a StackoverflowError if the de
CVE-2025-48734May 28, 2025
affected < 2.6-21.module_el8.0.0+6004+2fc32706fixed 2.6-21.module_el8.0.0+6004+2fc32706
Improper Access Control vulnerability in Apache Commons. A special BeanIntrospector class was added in version 1.9.2. This can be used to stop attackers from using the declared class property of Java enum objects to get access to the classloader. However this protection was no
CVE-2020-36518Mar 11, 2022
affected < 2.6-21.module_el8.5.0+2577+9e95fe00fixed 2.6-21.module_el8.5.0+2577+9e95fe00
jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects.
CVE-2019-17531Oct 12, 2019
affected < 2.6-21.module_el8.5.0+2577+9e95fe00fixed 2.6-21.module_el8.5.0+2577+9e95fe00
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the apache-log4j-extra (version 1.2.x) jar in the
CVE-2019-16943Oct 1, 2019
affected < 2.6-21.module_el8.5.0+2577+9e95fe00fixed 2.6-21.module_el8.5.0+2577+9e95fe00
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the p6spy (3.8.6) jar in the classpath, and an att
CVE-2019-16942Oct 1, 2019
affected < 2.6-21.module_el8.5.0+2577+9e95fe00fixed 2.6-21.module_el8.5.0+2577+9e95fe00
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the commons-dbcp (1.4) jar in the classpath, and a
CVE-2019-16335Sep 15, 2019
affected < 2.6-21.module_el8.5.0+2577+9e95fe00fixed 2.6-21.module_el8.5.0+2577+9e95fe00
A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariDataSource. This is a different vulnerability than CVE-2019-14540.
CVE-2019-14540Sep 15, 2019
affected < 2.6-21.module_el8.5.0+2577+9e95fe00fixed 2.6-21.module_el8.5.0+2577+9e95fe00
A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariConfig.
CVE-2019-10086Aug 20, 2019
affected < 2.6-21.module_el8.0.0+6004+2fc32706fixed 2.6-21.module_el8.0.0+6004+2fc32706
In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for an attacker to access the classloader via the class property available on all Java objects. We, however were not using this by default characteristic of the Prop
CVE-2019-12384Jun 24, 2019
affected < 2.6-21.module_el8.5.0+150+5f0dbea0fixed 2.6-21.module_el8.5.0+150+5f0dbea0
FasterXML jackson-databind 2.x before 2.9.9.1 might allow attackers to have a variety of impacts by leveraging failure to block the logback-core class from polymorphic deserialization. Depending on the classpath content, remote code execution may be possible.
CVE-2018-11784Oct 4, 2018
affected < 2.6-21.module_el8.5.0+150+5f0dbea0fixed 2.6-21.module_el8.5.0+150+5f0dbea0
When the default servlet in Apache Tomcat versions 9.0.0.M1 to 9.0.11, 8.5.0 to 8.5.33 and 7.0.23 to 7.0.90 returned a redirect to a directory (e.g. redirecting to '/foo/' when the user requested '/foo') a specially crafted URL could be used to cause the redirect to be generated
CVE-2018-8037Aug 2, 2018
affected < 2.6-21.module_el8.5.0+150+5f0dbea0fixed 2.6-21.module_el8.5.0+150+5f0dbea0
If an async request was completed by the application at the same time as the container triggered the async timeout, a race condition existed that could result in a user seeing a response intended for a different user. An additional issue was present in the NIO and NIO2 connectors
CVE-2018-8034Aug 1, 2018
affected < 2.6-21.module_el8.5.0+150+5f0dbea0fixed 2.6-21.module_el8.5.0+150+5f0dbea0
The host name verification when using TLS with the WebSocket client was missing. It is now enabled by default. Versions Affected: Apache Tomcat 9.0.0.M1 to 9.0.9, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, and 7.0.35 to 7.0.88.
CVE-2018-8014May 16, 2018
affected < 2.6-21.module_el8.5.0+150+5f0dbea0fixed 2.6-21.module_el8.5.0+150+5f0dbea0
The defaults settings for the CORS filter provided in Apache Tomcat 9.0.0.M1 to 9.0.8, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, 7.0.41 to 7.0.88 are insecure and enable 'supportsCredentials' for all origins. It is expected that users of the CORS filter will have configured it approp