Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Single_sign\-On
(Redhat)| Repositories | https://github.com/FasterXML/jackson-databind |
| #Vulnerabilities | 90 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2020-07-24 | CVE-2020-14297 | A flaw was discovered in Wildfly's EJB Client as shipped with Red Hat JBoss EAP 7, where some specific EJB transaction objects may get accumulated over the time and can cause services to slow down and eventaully unavailable. An attacker can take advantage and cause denial of service attack and make services unavailable. | Amq, Jboss\-Ejb\-Client, Jboss_enterprise_application_platform_continuous_delivery, Jboss_fuse, Openshift_application_runtimes, Single_sign\-On | 6.5 | ||
| 2023-12-14 | CVE-2023-6563 | An unconstrained memory consumption vulnerability was discovered in Keycloak. It can be triggered in environments which have millions of offline tokens (> 500,000 users with each having at least 2 saved sessions). If an attacker creates two or more user sessions and then open the "consents" tab of the admin User Interface, the UI attempts to load a huge number of offline client sessions leading to excessive memory and CPU consumption which could potentially crash the entire system. | Keycloak, Openshift_container_platform, Openshift_container_platform_for_ibm_linuxone, Openshift_container_platform_for_power, Single_sign\-On | 7.7 | ||
| 2023-03-29 | CVE-2022-1274 | A flaw was found in Keycloak in the execute-actions-email endpoint. This issue allows arbitrary HTML to be injected into emails sent to Keycloak users and can be misused to perform phishing or other attacks against users. | Keycloak, Openshift_container_platform, Single_sign\-On | 5.4 | ||
| 2021-12-14 | CVE-2021-4104 | JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached... | Log4j, Fedora, Advanced_supply_chain_planning, Business_intelligence, Business_process_management_suite, Communications_eagle_ftp_table_base_retrieval, Communications_messaging_server, Communications_network_integrity, Communications_offline_mediation_controller, Communications_unified_inventory_management, E\-Business_suite_cloud_manager_and_cloud_backup_module, Enterprise_manager_base_platform, Financial_services_revenue_management_and_billing_analytics, Fusion_middleware_common_libraries_and_tools, Goldengate, Healthcare_data_repository, Hyperion_data_relationship_management, Hyperion_infrastructure_technology, Identity_management_suite, Jdeveloper, Mysql_enterprise_monitor, Retail_allocation, Retail_extract_transform_and_load, Stream_analytics, Timesten_grid, Tuxedo, Utilities_testing_accelerator, Weblogic_server, Codeready_studio, Enterprise_linux, Integration_camel_k, Integration_camel_quarkus, Jboss_a\-Mq, Jboss_a\-Mq_streaming, Jboss_data_grid, Jboss_data_virtualization, Jboss_enterprise_application_platform, Jboss_fuse, Jboss_fuse_service_works, Jboss_operations_network, Jboss_web_server, Openshift_application_runtimes, Openshift_container_platform, Process_automation, Single_sign\-On, Software_collections | 7.5 | ||
| 2023-12-12 | CVE-2023-5379 | A flaw was found in Undertow. When an AJP request is sent that exceeds the max-header-size attribute in ajp-listener, JBoss EAP is marked in an error state by mod_cluster in httpd, causing JBoss EAP to close the TCP connection without returning an AJP response. This happens because mod_proxy_cluster marks the JBoss EAP instance as an error worker when the TCP connection is closed from the backend after sending the AJP request without receiving an AJP response, and stops forwarding. This... | Jboss_enterprise_application_platform, Single_sign\-On, Undertow | 7.5 | ||
| 2019-03-21 | CVE-2018-12022 | An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Jodd-db jar (for database access for the Jodd framework) in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload. | Debian_linux, Jackson\-Databind, Fedora, Jd_edwards_enterpriseone_tools, Retail_merchandising_system, Automation_manager, Decision_manager, Jboss_brms, Jboss_enterprise_application_platform, Openshift_container_platform, Single_sign\-On | 7.5 | ||
| 2019-03-21 | CVE-2018-12023 | An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Oracle JDBC jar in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload. | Debian_linux, Jackson\-Databind, Fedora, Jd_edwards_enterpriseone_tools, Retail_merchandising_system, Automation_manager, Decision_manager, Jboss_brms, Jboss_enterprise_application_platform, Openshift_container_platform, Single_sign\-On | 7.5 | ||
| 2019-07-29 | CVE-2019-14379 | SubTypeValidator.java in FasterXML jackson-databind before 2.9.9.2 mishandles default typing when ehcache is used (because of net.sf.ehcache.transaction.manager.DefaultTransactionManagerLookup), leading to remote code execution. | Xcode, Debian_linux, Jackson\-Databind, Fedora, Active_iq_unified_manager, Oncommand_workflow_automation, Service_level_manager, Snapcenter, Banking_platform, Communications_diameter_signaling_router, Communications_instant_messaging_server, Financial_services_analytical_applications_infrastructure, Goldengate_stream_analytics, Jd_edwards_enterpriseone_orchestrator, Jd_edwards_enterpriseone_tools, Primavera_gateway, Primavera_unifier, Retail_customer_management_and_segmentation_foundation, Retail_xstore_point_of_service, Siebel_engineering_\-_installer_\&_deployment, Siebel_ui_framework, Jboss_enterprise_application_platform, Openshift_container_platform, Single_sign\-On | 9.8 | ||
| 2019-08-13 | CVE-2019-9514 | Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of service. The attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RST_STREAM frames from the peer. Depending on how the peer queues the RST_STREAM frames, this can consume excess memory, CPU, or both. | Traffic_server, Swiftnio, Ubuntu_linux, Debian_linux, Big\-Ip_local_traffic_manager, Fedora, Web_gateway, Cloud_insights, Trident, Node\.js, Leap, Graalvm, Developer_tools, Enterprise_linux, Enterprise_linux_eus, Enterprise_linux_server, Enterprise_linux_workstation, Jboss_core_services, Jboss_enterprise_application_platform, Openshift_container_platform, Openshift_service_mesh, Openstack, Quay, Single_sign\-On, Software_collections, Diskstation_manager, Skynas, Vs960hd_firmware | 7.5 | ||
| 2019-08-13 | CVE-2019-9515 | Some HTTP/2 implementations are vulnerable to a settings flood, potentially leading to a denial of service. The attacker sends a stream of SETTINGS frames to the peer. Since the RFC requires that the peer reply with one acknowledgement per SETTINGS frame, an empty SETTINGS frame is almost equivalent in behavior to a ping. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both. | Traffic_server, Swiftnio, Ubuntu_linux, Debian_linux, Big\-Ip_local_traffic_manager, Fedora, Web_gateway, Node\.js, Leap, Graalvm, Enterprise_linux, Jboss_core_services, Jboss_enterprise_application_platform, Openshift_container_platform, Openshift_service_mesh, Openstack, Quay, Single_sign\-On, Software_collections, Diskstation_manager, Skynas, Vs960hd_firmware | 7.5 |