CVSS: 8.1EPSS: 7%CPEs: 75EXPL: 2CVE-2020-36188 – jackson-databind: mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.JNDIConnectionSource
https://notcve.org/view.php?id=CVE-2020-36188
06 Jan 2021 — FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.JNDIConnectionSource. FasterXML jackson-databind versiones 2.x anteriores a 2.9.10.8 maneja inapropiadamente la interacción entre los gadgets de serialización y la escritura, relacionada con com.newrelic.agent.deps.ch.qos.logback.core.db.JNDIConnectionSource A flaw was found in jackson-databind. FasterXML mishandles the interaction betw... • https://github.com/Al1ex/CVE-2020-36188 • CWE-502: Deserialization of Untrusted Data •
CVSS: 8.8EPSS: 6%CPEs: 74EXPL: 1CVE-2020-36181 – jackson-databind: mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.cpdsadapter.DriverAdapterCPDS
https://notcve.org/view.php?id=CVE-2020-36181
06 Jan 2021 — FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.cpdsadapter.DriverAdapterCPDS. FasterXML jackson-databind versiones 2.x anteriores a 2.9.10.8, maneja inapropiadamente la interacción entre los gadgets de serialización y la escritura, relacionada con org.apache.tomcat.dbcp.dbcp.cpdsadapter.DriverAdapterCPDS A flaw was found in jackson-databind. FasterXML mishandles the interaction between serialization g... • https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062 • CWE-502: Deserialization of Untrusted Data •
CVSS: 8.1EPSS: 41%CPEs: 65EXPL: 1CVE-2020-35728 – jackson-databind: mishandles the interaction between serialization gadgets and typing, related to com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool
https://notcve.org/view.php?id=CVE-2020-35728
27 Dec 2020 — FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool (aka embedded Xalan in org.glassfish.web/javax.servlet.jsp.jstl). FasterXML jackson-databind versiones 2.x anteriores a 2.9.10.8, maneja inapropiadamente la interacción entre los dispositivos de serialización y la escritura, relacionada con com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool (también se ... • https://github.com/Al1ex/CVE-2020-35728 • CWE-96: Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection') CWE-502: Deserialization of Untrusted Data •
CVSS: 9.8EPSS: 94%CPEs: 13EXPL: 14CVE-2020-17530 – Apache Struts Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2020-17530
11 Dec 2020 — Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution. Affected software : Apache Struts 2.0.0 - Struts 2.5.25. Una evaluación OGNL forzada, cuando se evalúa según la entrada del usuario sin procesar en los atributos de la etiqueta, puede conllevar a una ejecución de código remota. Software afectado: Apache Struts versión 2.0.0 - Struts versión 2.5.25 The Apache Struts framework, when forced, performs double evaluation of attribute values assigned... • https://packetstorm.news/files/id/160721 • CWE-917: Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection') •
CVSS: 9.3EPSS: 93%CPEs: 36EXPL: 4CVE-2020-26217 – Remote Code Execution in XStream
https://notcve.org/view.php?id=CVE-2020-26217
16 Nov 2020 — XStream before version 1.4.14 is vulnerable to Remote Code Execution.The vulnerability may allow a remote attacker to run arbitrary shell commands only by manipulating the processed input stream. Only users who rely on blocklists are affected. Anyone using XStream's Security Framework allowlist is not affected. The linked advisory provides code workarounds for users who cannot upgrade. The issue is fixed in version 1.4.14. • https://github.com/Al1ex/CVE-2020-26217 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') CWE-502: Deserialization of Untrusted Data •
CVSS: 8.1EPSS: 2%CPEs: 37EXPL: 1CVE-2020-24750 – jackson-databind: Serialization gadgets in com.pastdev.httpcomponents.configuration.JndiConfiguration
https://notcve.org/view.php?id=CVE-2020-24750
17 Sep 2020 — FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to com.pastdev.httpcomponents.configuration.JndiConfiguration. FasterXML jackson-databind versiones 2.x anteriores a 2.9.10.6, maneja inapropiadamente la interacción entre los gadgets de serialización y la escritura, relacionada con com.pastdev.httpcomponents.configuration.JndiConfiguration A flaw was found in jackson-databind 2.x in versions prior to 2.9.10.6. The interaction between ... • https://github.com/Al1ex/CVE-2020-24750 • CWE-502: Deserialization of Untrusted Data •
CVSS: 7.5EPSS: 4%CPEs: 6EXPL: 0CVE-2019-0233
https://notcve.org/view.php?id=CVE-2019-0233
14 Sep 2020 — An access permission override in Apache Struts 2.0.0 to 2.5.20 may cause a Denial of Service when performing a file upload. Una anulación del permiso de acceso en Apache Struts versiones 2.0.0 hasta 2.5.20, puede causar una Denegación de Servicio al llevar a cabo una carga de archivo • https://cwiki.apache.org/confluence/display/ww/s2-060 • CWE-281: Improper Preservation of Permissions •
CVSS: 9.8EPSS: 93%CPEs: 6EXPL: 12CVE-2019-0230 – Apache Struts 2.5.20 - Double OGNL evaluation
https://notcve.org/view.php?id=CVE-2019-0230
14 Sep 2020 — Apache Struts 2.0.0 to 2.5.20 forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution. Apache Struts versiones 2.0.0 hasta 2.5.20, forzó una evaluación OGNL doble, cuando se evaluaba en la entrada del usuario sin procesar en los atributos de la etiqueta, puede conllevar a una ejecución de código remota The Apache Struts framework, when forced, performs double evaluation of attribute values assigned to certain tags attributes such as id. It is ther... • https://packetstorm.news/files/id/160108 • CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') •
CVSS: 8.1EPSS: 3%CPEs: 33EXPL: 1CVE-2020-24616
https://notcve.org/view.php?id=CVE-2020-24616
25 Aug 2020 — FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPDataSource (aka Anteros-DBCP). FasterXML jackson-databind versiones 2.x anteriores a 2.9.10.6, maneja inapropiadamente la interacción entre los dispositivos de serialización y la escritura, relacionada con br.com.anteros.dbcp.AnterosDBCPDataSource (también se conoce como Anteros-DBCP) • https://github.com/0xkami/cve-2020-24616-poc • CWE-502: Deserialization of Untrusted Data •
CVSS: 7.7EPSS: 1%CPEs: 24EXPL: 2CVE-2020-5258 – Prototype pollution in dojo
https://notcve.org/view.php?id=CVE-2020-5258
10 Mar 2020 — In affected versions of dojo (NPM package), the deepCopy method is vulnerable to Prototype Pollution. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. This has been patched in versions 1.12.8, 1.13.7, 1.14.6, 1.15.3 and 1.16.2 En las versiones afectadas de dojo (paquete... • https://github.com/ossf-cve-benchmark/CVE-2020-5258 • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') •