Dependency-Check is an open source tool performing a best effort analysis of 3rd party dependencies; false positives and false negatives may exist in the analysis performed by the tool. Use of the tool and the reporting provided constitutes acceptance for use in an AS IS condition, and there are NO warranties, implied or otherwise, with regard to the analysis or its use. Any use of the tool and the reporting provided is at the user’s risk. In no event shall the copyright holder or OWASP be held liable for any damages whatsoever arising out of or in connection with the use of this tool, the analysis performed, or the resulting report.
Description:
Emulates a predicate that checks if a person is of legal age.
License:
MIT License https://opensource.org/licenses/MITFile Path: /Users/jegors/Projects/epam/learning-week-2023/diffblue-cover/diffblue-legal-age/pom.xml
Description:
Core Jackson processing abstractions (aka Streaming API), implementation for JSON
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: /Users/jegors/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.9.6/jackson-core-2.9.6.jar
Fasterxml Jackson version Before 2.9.8 contains a CWE-20: Improper Input Validation vulnerability in Jackson-Modules-Java8 that can result in Causes a denial-of-service (DoS). This attack appear to be exploitable via The victim deserializes malicious input, specifically very large values in the nanoseconds field of a time value. This vulnerability appears to have been fixed in 2.9.8.CWE-20 Improper Input Validation
Vulnerable Software & Versions: (show all)
Description:
General data-binding functionality for Jackson: works on core streaming API
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: /Users/jegors/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar
FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct server-side request forgery (SSRF) attacks by leveraging failure to block the axis2-jaxws class from polymorphic deserialization.CWE-918 Server-Side Request Forgery (SSRF)
Vulnerable Software & Versions: (show all)
FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the slf4j-ext class from polymorphic deserialization.CWE-502 Deserialization of Untrusted Data
Vulnerable Software & Versions: (show all)
FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the blaze-ds-opt and blaze-ds-core classes from polymorphic deserialization.CWE-502 Deserialization of Untrusted Data
Vulnerable Software & Versions: (show all)
FasterXML jackson-databind 2.x before 2.9.7 might allow attackers to conduct external XML entity (XXE) attacks by leveraging failure to block unspecified JDK classes from polymorphic deserialization.CWE-611 Improper Restriction of XML External Entity Reference, CWE-502 Deserialization of Untrusted Data
Vulnerable Software & Versions: (show all)
FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the axis2-transport-jms class from polymorphic deserialization.CWE-502 Deserialization of Untrusted Data
Vulnerable Software & Versions: (show all)
FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the openjpa class from polymorphic deserialization.CWE-502 Deserialization of Untrusted Data
Vulnerable Software & Versions: (show all)
FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the jboss-common-core class from polymorphic deserialization.CWE-502 Deserialization of Untrusted Data
Vulnerable Software & Versions: (show all)
SubTypeValidator.java in FasterXML jackson-databind before 2.9.9.2 mishandles default typing when ehcache is used (because of net.sf.ehcache.transaction.manager.DefaultTransactionManagerLookup), leading to remote code execution.CWE-1321 Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Vulnerable Software & Versions: (show all)
A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariConfig.CWE-502 Deserialization of Untrusted Data
Vulnerable Software & Versions: (show all)
A flaw was discovered in jackson-databind in versions before 2.9.10, 2.8.11.5 and 2.6.7.3, where it would permit polymorphic deserialization of a malicious object using commons-configuration 1 and 2 JNDI classes. An attacker could use this flaw to execute arbitrary code.CWE-502 Deserialization of Untrusted Data, CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
Vulnerable Software & Versions: (show all)
A flaw was discovered in FasterXML jackson-databind in all versions before 2.9.10 and 2.10.0, where it would permit polymorphic deserialization of malicious objects using the xalan JNDI gadget when used in conjunction with polymorphic type handling methods such as `enableDefaultTyping()` or when @JsonTypeInfo is using `Id.CLASS` or `Id.MINIMAL_CLASS` or in any other way which ObjectMapper.readValue might instantiate objects from unsafe sources. An attacker could use this flaw to execute arbitrary code.CWE-502 Deserialization of Untrusted Data, CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
Vulnerable Software & Versions: (show all)
A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariDataSource. This is a different vulnerability than CVE-2019-14540.CWE-502 Deserialization of Untrusted Data
Vulnerable Software & Versions: (show all)
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the commons-dbcp (1.4) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of org.apache.commons.dbcp.datasources.SharedPoolDataSource and org.apache.commons.dbcp.datasources.PerUserPoolDataSource mishandling.CWE-502 Deserialization of Untrusted Data
Vulnerable Software & Versions: (show all)
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the p6spy (3.8.6) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of com.p6spy.engine.spy.P6DataSource mishandling.CWE-502 Deserialization of Untrusted Data
Vulnerable Software & Versions: (show all)
A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup.CWE-502 Deserialization of Untrusted Data
Vulnerable Software & Versions: (show all)
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the apache-log4j-extra (version 1.2.x) jar in the classpath, and an attacker can provide a JNDI service to access, it is possible to make the service execute a malicious payload.CWE-502 Deserialization of Untrusted Data
Vulnerable Software & Versions: (show all)
FasterXML jackson-databind 2.x before 2.9.10.2 lacks certain net.sf.ehcache blocking.CWE-502 Deserialization of Untrusted Data
Vulnerable Software & Versions: (show all)
FasterXML jackson-databind 2.0.0 through 2.9.10.2 lacks certain xbean-reflect/JNDI blocking, as demonstrated by org.apache.xbean.propertyeditor.JndiConverter.CWE-502 Deserialization of Untrusted Data
Vulnerable Software & Versions: (show all)
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig (aka shaded hikari-config).CWE-502 Deserialization of Untrusted Data
Vulnerable Software & Versions: (show all)
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig (aka ibatis-sqlmap).CWE-502 Deserialization of Untrusted Data
Vulnerable Software & Versions: (show all)
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPConfig (aka anteros-core).CWE-502 Deserialization of Untrusted Data
Vulnerable Software & Versions: (show all)
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.aries.transaction.jms.internal.XaPooledConnectionFactory (aka aries.transaction.jms).NVD-CWE-Other
Vulnerable Software & Versions: (show all)
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to com.caucho.config.types.ResourceRef (aka caucho-quercus).NVD-CWE-Other
Vulnerable Software & Versions: (show all)
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.aoju.bus.proxy.provider.remoting.RmiProvider (aka bus-proxy).CWE-502 Deserialization of Untrusted Data
Vulnerable Software & Versions: (show all)
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to javax.swing.JEditorPane.CWE-502 Deserialization of Untrusted Data
Vulnerable Software & Versions: (show all)
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.activemq.* (aka activemq-jms, activemq-core, activemq-pool, and activemq-pool-jms).CWE-502 Deserialization of Untrusted Data
Vulnerable Software & Versions: (show all)
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.proxy.provider.remoting.RmiProvider (aka apache/commons-proxy).CWE-502 Deserialization of Untrusted Data
Vulnerable Software & Versions: (show all)
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.openjpa.ee.WASRegistryManagedRuntime (aka openjpa).CWE-502 Deserialization of Untrusted Data
Vulnerable Software & Versions: (show all)
A deserialization flaw was discovered in jackson-databind through 2.9.10.4. It could allow an unauthenticated user to perform code execution via ignite-jta or quartz-core: org.apache.ignite.cache.jta.jndi.CacheJndiTmLookup, org.apache.ignite.cache.jta.jndi.CacheJndiTmFactory, and org.quartz.utils.JNDIConnectionProvider.CWE-502 Deserialization of Untrusted Data
Vulnerable Software & Versions: (show all)
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.springframework.aop.config.MethodLocatingFactoryBean (aka spring-aop).CWE-502 Deserialization of Untrusted Data
Vulnerable Software & Versions: (show all)
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.jelly.impl.Embedded (aka commons-jelly).CWE-502 Deserialization of Untrusted Data
Vulnerable Software & Versions: (show all)
FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.xalan.lib.sql.JNDIConnectionPool (aka apache/drill).CWE-502 Deserialization of Untrusted Data
Vulnerable Software & Versions: (show all)
FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oracle.jms.AQjmsQueueConnectionFactory, oracle.jms.AQjmsXATopicConnectionFactory, oracle.jms.AQjmsTopicConnectionFactory, oracle.jms.AQjmsXAQueueConnectionFactory, and oracle.jms.AQjmsXAConnectionFactory (aka weblogic/oracle-aqjms).CWE-502 Deserialization of Untrusted Data
Vulnerable Software & Versions: (show all)
FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to com.sun.org.apache.xalan.internal.lib.sql.JNDIConnectionPool (aka xalan2).CWE-502 Deserialization of Untrusted Data
Vulnerable Software & Versions: (show all)
FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to org.jsecurity.realm.jndi.JndiRealmFactory (aka org.jsecurity).CWE-502 Deserialization of Untrusted Data
Vulnerable Software & Versions: (show all)
FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPDataSource (aka Anteros-DBCP).CWE-502 Deserialization of Untrusted Data
Vulnerable Software & Versions: (show all)
FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to com.pastdev.httpcomponents.configuration.JndiConfiguration.CWE-502 Deserialization of Untrusted Data
Vulnerable Software & Versions: (show all)
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.PerUserPoolDataSource.CWE-502 Deserialization of Untrusted Data
Vulnerable Software & Versions: (show all)
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.SharedPoolDataSource.CWE-502 Deserialization of Untrusted Data
Vulnerable Software & Versions: (show all)
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool (aka embedded Xalan in org.glassfish.web/javax.servlet.jsp.jstl).CWE-502 Deserialization of Untrusted Data
Vulnerable Software & Versions: (show all)
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.commons.dbcp.cpdsadapter.DriverAdapterCPDS.CWE-502 Deserialization of Untrusted Data
Vulnerable Software & Versions: (show all)
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.cpdsadapter.DriverAdapterCPDS.CWE-502 Deserialization of Untrusted Data
Vulnerable Software & Versions: (show all)
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.cpdsadapter.DriverAdapterCPDS.CWE-502 Deserialization of Untrusted Data
Vulnerable Software & Versions: (show all)
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.cpdsadapter.DriverAdapterCPDS.CWE-502 Deserialization of Untrusted Data
Vulnerable Software & Versions: (show all)
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.docx4j.org.apache.xalan.lib.sql.JNDIConnectionPool.CWE-502 Deserialization of Untrusted Data
Vulnerable Software & Versions: (show all)
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource.CWE-502 Deserialization of Untrusted Data
Vulnerable Software & Versions: (show all)
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.SharedPoolDataSource.CWE-502 Deserialization of Untrusted Data
Vulnerable Software & Versions: (show all)
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.PerUserPoolDataSource.CWE-502 Deserialization of Untrusted Data
Vulnerable Software & Versions: (show all)
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.SharedPoolDataSource.CWE-502 Deserialization of Untrusted Data
Vulnerable Software & Versions: (show all)
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.JNDIConnectionSource.CWE-502 Deserialization of Untrusted Data
Vulnerable Software & Versions: (show all)
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.DriverManagerConnectionSource.CWE-502 Deserialization of Untrusted Data
Vulnerable Software & Versions: (show all)
A flaw was found in jackson-databind before 2.9.10.7. FasterXML mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.CWE-502 Deserialization of Untrusted Data
Vulnerable Software & Versions: (show all)
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint, the service has the mysql-connector-java jar (8.0.14 or earlier) in the classpath, and an attacker can host a crafted MySQL server reachable by the victim, an attacker can send a crafted JSON message that allows them to read arbitrary local files on the server. This occurs because of missing com.mysql.cj.jdbc.admin.MiniAdmin validation.CWE-502 Deserialization of Untrusted Data
Vulnerable Software & Versions: (show all)
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9.2. This occurs when Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the logback jar in the classpath.CWE-502 Deserialization of Untrusted Data
Vulnerable Software & Versions: (show all)
A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly. This flaw allows vulnerability to XML external entity (XXE) attacks. The highest threat from this vulnerability is data integrity.CWE-611 Improper Restriction of XML External Entity Reference
Vulnerable Software & Versions: (show all)
jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects.CWE-787 Out-of-bounds Write
Vulnerable Software & Versions: (show all)
In FasterXML jackson-databind before versions 2.13.4.1 and 2.12.17.1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled.CWE-502 Deserialization of Untrusted Data
Vulnerable Software & Versions: (show all)
In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization.CWE-502 Deserialization of Untrusted Data
Vulnerable Software & Versions: (show all)
Fasterxml Jackson version Before 2.9.8 contains a CWE-20: Improper Input Validation vulnerability in Jackson-Modules-Java8 that can result in Causes a denial-of-service (DoS). This attack appear to be exploitable via The victim deserializes malicious input, specifically very large values in the nanoseconds field of a time value. This vulnerability appears to have been fixed in 2.9.8.CWE-20 Improper Input Validation
Vulnerable Software & Versions: (show all)
FasterXML jackson-databind 2.x before 2.9.9.1 might allow attackers to have a variety of impacts by leveraging failure to block the logback-core class from polymorphic deserialization. Depending on the classpath content, remote code execution may be possible.CWE-502 Deserialization of Untrusted Data
Vulnerable Software & Versions: (show all)
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x through 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has JDOM 1.x or 2.x jar in the classpath, an attacker can send a specifically crafted JSON message that allows them to read arbitrary local files on the server.CWE-502 Deserialization of Untrusted Data
Vulnerable Software & Versions: (show all)
jackson-databind through 2.15.2 allows attackers to cause a denial of service or other unspecified impact via a crafted object that uses cyclic dependencies. NOTE: the vendor's perspective is that this is not a valid vulnerability report, because the steps of constructing a cyclic data structure and trying to serialize it cannot be achieved by an external attacker.CWE-770 Allocation of Resources Without Limits or Throttling
Vulnerable Software & Versions:
Description:
Support for reading and writing CSV-encoded data via Jackson abstractions.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: /Users/jegors/.m2/repository/com/fasterxml/jackson/dataformat/jackson-dataformat-csv/2.9.6/jackson-dataformat-csv-2.9.6.jar
Description:
Support for reading and writing Smile ("binary JSON")
encoded data using Jackson abstractions (streaming API, data binding,
tree model)
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: /Users/jegors/.m2/repository/com/fasterxml/jackson/dataformat/jackson-dataformat-smile/2.9.6/jackson-dataformat-smile-2.9.6.jar
Description:
Support for using JAXB annotations as an alternative to "native" Jackson annotations, for configuring data-binding.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: /Users/jegors/.m2/repository/com/fasterxml/jackson/module/jackson-module-jaxb-annotations/2.9.6/jackson-module-jaxb-annotations-2.9.6.jar
Description:
Add-on module for Jackson (http://jackson.codehaus.org) to support JSON Schema (http://tools.ietf.org/html/draft-zyp-json-schema-03) version 3 generation.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: /Users/jegors/.m2/repository/com/fasterxml/jackson/module/jackson-module-jsonSchema/2.9.6/jackson-module-jsonSchema-2.9.6.jar
Description:
JSON is a light-weight, language independent, data interchange format.
See http://www.JSON.org/
The files in this package implement JSON encoders/decoders in Java.
It also includes the capability to convert between JSON and XML, HTTP
headers, Cookies, and CDL.
This is a reference implementation. There are a large number of JSON packages
in Java. Perhaps someday the Java community will standardize on one. Until
then, choose carefully.
License:
Public Domain: https://github.com/stleary/JSON-java/blob/master/LICENSEFile Path: /Users/jegors/.m2/repository/org/json/json/20231013/json-20231013.jar
Description:
RESTful web framework for Java (API and Engine).
File Path: /Users/jegors/.m2/repository/org/restlet/jee/org.restlet/2.4.3/org.restlet-2.4.3.jar
MD5: 01379d5615f611f90c9c0997f318de8e
SHA1: fb9441cfe1e17b04976bed9b0dfd8c4a39c41b78
SHA256:5f4660bdfc7574461b8d844ccfefd6c3f1be5eb0037e72f63ce158ae0c767f79
Referenced In Project/Scope: Legal Age Web Application:compile
org.restlet-2.4.3.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.restlet.jee/org.restlet.ext.servlet@2.4.3
Description:
Simple is a high performance asynchronous HTTP framework for Java
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: /Users/jegors/.m2/repository/org/simpleframework/simple/5.1.6/simple-5.1.6.jar
Description:
YAML 1.1 parser and emitter for Java
License:
Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: /Users/jegors/.m2/repository/org/yaml/snakeyaml/1.18/snakeyaml-1.18.jar
SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization.��Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml's SafeConsturctor when parsing untrusted content to restrict deserialization. We recommend upgrading to version 2.0 and beyond.CWE-502 Deserialization of Untrusted Data, CWE-20 Improper Input Validation
Vulnerable Software & Versions:
The Alias feature in SnakeYAML before 1.26 allows entity expansion during a load operation, a related issue to CVE-2003-1564.CWE-776 Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')
Vulnerable Software & Versions: (show all)
The package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial of Service (DoS) due missing to nested depth limitation for collections.CWE-776 Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')
Vulnerable Software & Versions:
Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.CWE-787 Out-of-bounds Write, CWE-121 Stack-based Buffer Overflow
Vulnerable Software & Versions:
Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.CWE-787 Out-of-bounds Write, CWE-121 Stack-based Buffer Overflow
Vulnerable Software & Versions:
Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack-overflow.CWE-787 Out-of-bounds Write, CWE-121 Stack-based Buffer Overflow
Vulnerable Software & Versions:
Those using Snakeyaml to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack overflow. This effect may support a denial of service attack.CWE-787 Out-of-bounds Write, CWE-121 Stack-based Buffer Overflow
Vulnerable Software & Versions:
Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.CWE-787 Out-of-bounds Write, CWE-121 Stack-based Buffer Overflow
Vulnerable Software & Versions:
Description:
StAX is a standard XML processing API that allows you to stream XML data from and to your application.
License:
GNU General Public Library: http://www.gnu.org/licenses/gpl.txt COMMON DEVELOPMENT AND DISTRIBUTION LICENSE (CDDL) Version 1.0: http://www.sun.com/cddl/cddl.htmlFile Path: /Users/jegors/.m2/repository/javax/xml/stream/stax-api/1.0-2/stax-api-1.0-2.jar
Description:
tax2 API is an extension to basic Stax 1.0 API that adds significant new functionality, such as full-featured bi-direction validation interface and high-performance Typed Access API.
License:
The BSD License: http://www.opensource.org/licenses/bsd-license.phpFile Path: /Users/jegors/.m2/repository/org/codehaus/woodstox/stax2-api/3.1.4/stax2-api-3.1.4.jar
Description:
Bean Validation API
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: /Users/jegors/.m2/repository/javax/validation/validation-api/1.1.0.Final/validation-api-1.1.0.Final.jar
Description:
Woodstox is a high-performance XML processor that
implements Stax (JSR-173), SAX2 and Stax2 APIs
License:
The Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: /Users/jegors/.m2/repository/com/fasterxml/woodstox/woodstox-core/5.0.3/woodstox-core-5.0.3.jar
Those using Woodstox to parse XML data may be vulnerable to Denial of Service attacks (DOS) if DTD support is enabled. If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack.CWE-787 Out-of-bounds Write, CWE-121 Stack-based Buffer Overflow
Vulnerable Software & Versions: (show all)
Description:
Woodstox is a high-performance XML processor that implements Stax (JSR-173) and SAX2 APIs
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: /Users/jegors/.m2/repository/org/codehaus/woodstox/woodstox-core-asl/4.3.0/woodstox-core-asl-4.3.0.jar
Those using Woodstox to parse XML data may be vulnerable to Denial of Service attacks (DOS) if DTD support is enabled. If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack.CWE-787 Out-of-bounds Write, CWE-121 Stack-based Buffer Overflow
Vulnerable Software & Versions: (show all)