CVSS: 7.5EPSS: 3%CPEs: 14EXPL: 0CVE-2018-12022 – jackson-databind: improper polymorphic deserialization of types from Jodd-db library
https://notcve.org/view.php?id=CVE-2018-12022
17 Mar 2019 — An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Jodd-db jar (for database access for the Jodd framework) in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload. Se ha descubierto un problema en FasterXML jackson-databind, en versiones anteriores a la 2.7.9.4, 2.8.11.2 y 2.9.6. Cuando "Def... • http://www.securityfocus.com/bid/107585 • CWE-502: Deserialization of Untrusted Data •
CVSS: 7.5EPSS: 4%CPEs: 13EXPL: 0CVE-2018-12023 – jackson-databind: improper polymorphic deserialization of types from Oracle JDBC driver
https://notcve.org/view.php?id=CVE-2018-12023
17 Mar 2019 — An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Oracle JDBC jar in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload. Se ha descubierto un problema en FasterXML jackson-databind, en versiones anteriores a la 2.7.9.4, 2.8.11.2 y 2.9.6. Cuando "Default Typing" está habilitado (globalmente... • http://www.securityfocus.com/bid/105659 • CWE-502: Deserialization of Untrusted Data •
CVSS: 9.8EPSS: 6%CPEs: 24EXPL: 0CVE-2018-19360 – jackson-databind: improper polymorphic deserialization in axis2-transport-jms class
https://notcve.org/view.php?id=CVE-2018-19360
02 Jan 2019 — FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the axis2-transport-jms class from polymorphic deserialization. Las versiones 2.x de FasterXML jackson-databind anteriores a la 2.9.8 podrían permitir a los atacantes remotos tener un impacto no especificado aprovechando un fallo para bloquear la clase axis2-transport-jms de deserialización polimórfica. A flaw was discovered in jackson-databind, where it would permit polymorphic deseri... • http://www.securityfocus.com/bid/107985 • CWE-502: Deserialization of Untrusted Data •
CVSS: 9.8EPSS: 6%CPEs: 24EXPL: 0CVE-2018-19362 – jackson-databind: improper polymorphic deserialization in jboss-common-core class
https://notcve.org/view.php?id=CVE-2018-19362
02 Jan 2019 — FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the jboss-common-core class from polymorphic deserialization. Las versiones 2.x de FasterXML jackson-databind anteriores a la 2.9.8 podrían permitir a los atacantes remotos tener un impacto no especificado aprovechando un fallo para bloquear la clase jboss-common-core de deserialización polimórfica. A flaw was discovered in jackson-databind, where it would permit polymorphic deserializ... • http://www.securityfocus.com/bid/107985 • CWE-502: Deserialization of Untrusted Data •
CVSS: 9.8EPSS: 4%CPEs: 25EXPL: 0CVE-2018-19361 – jackson-databind: improper polymorphic deserialization in openjpa class
https://notcve.org/view.php?id=CVE-2018-19361
02 Jan 2019 — FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the openjpa class from polymorphic deserialization. Las versiones 2.x de FasterXML jackson-databind anteriores a la 2.9.8 podrían permitir a los atacantes remotos tener un impacto no especificado aprovechando un fallo para bloquear la clase openjpa de deserialización polimórfica. A flaw was discovered in jackson-databind, where it would permit polymorphic deserialization of a malicious... • http://www.securityfocus.com/bid/107985 • CWE-502: Deserialization of Untrusted Data •
CVSS: 6.5EPSS: 1%CPEs: 3EXPL: 0CVE-2017-7545 – jbpmmigration: XXE vulnerability in XmlUtils
https://notcve.org/view.php?id=CVE-2017-7545
30 Nov 2017 — It was discovered that the XmlUtils class in jbpmmigration 6.5 performed expansion of external parameter entities while parsing XML files. A remote attacker could use this flaw to read files accessible to the user running the application server and, potentially, perform other more advanced XML eXternal Entity (XXE) attacks. Se ha descubierto que la clase XmlUtils en jbpmmigration 6.5 realizaba la expansión de entidades externas de parámetros mientras analizaba archivos XML. Un atacante remoto podría utiliza... • http://www.securityfocus.com/bid/102179 • CWE-611: Improper Restriction of XML External Entity Reference •