logo
DATABASE RESOURCES PRICING ABOUT US

Security Bulletin: IBM Cognos Analytics has addressed multiple vulnerabilities

2022-06-22T15:20:17

Description

## Summary Security vulnerabilities have been addressed in IBM Cognos Analytics 11.1.7 FP5. These vulnerabilities have also been previously addressed in IBM Cognos Analytics 11.2.2. The following 3rd party components are used by IBM Cognos Analytics: Apache Axis is a Java based Web Services engine for JSON, SOAP, and WSDL (CVE-2012-5785, CVE-2012-4418, CVE-2010-1632). Dom4J is a Java-based XML parsing framework (CVE-2020-10683). Apache Commons Compress is a Java API to support various types of compression and decompression (CVE-2021-35517, CVE-2021-36090). Jupyter Notebook is an interactive computing platform across all programming languages (CVE-2021-32797, CVE-2021-32798). Netty is a Java-based non-blocking I/O networking framework (CVE-2021-37136, CVE-2021-37136). JQuery is a JavaScript library for HTML DOM tree traversal and manipulation (CVE-2021-41184, CVE-2021-41183, CVE-2021-41182). SnakeYAML is a Java-based YAML parsing and serialization library (CVE-2017-18640). Apache Hadoop is a Java based distributed computing platform supporting large data sets (CVE-2020-9492, CVE-2016-6811, CVE-2017-15713, CVE-2017-15718, CVE-2017-3166, CVE-2018-1296, CVE-2018-8029, CVE-2018-11766). CKEditor is a WYSIWYG rich text editor which can be directly inside web pages or application (CVE-2021-41164, CVE-2021-41165). Apache Jena is a Java API to read and write RDF graphs (CVE-2021-39239). Netplex json-smart is a Java-based high performance JSON-processor (CVE-2021-27568). Faster XML Jackson-Databind is a JSON to Java object conversion API (CVE-2021-20190, CVE-2020-9548, CVE-2020-9547, CVE-2020-9546, CVE-2020-8840, CVE-2020-36189, CVE-2020-36188, CVE-2020-36187, CVE-2020-36186, CVE-2020-36185, CVE-2020-36184, CVE-2020-36183, CVE-2020-36182, CVE-2020-36181, CVE-2020-36180, CVE-2020-36179, CVE-2020-35728, CVE-2020-35491, CVE-2020-35490, CVE-2020-25649, CVE-2020-24750, CVE-2020-24616, CVE-2020-14195, CVE-2020-14062, CVE-2020-14061, CVE-2020-14060, CVE-2020-11620, CVE-2020-11619, CVE-2020-11113, CVE-2020-11112, CVE-2020-11111, CVE-2020-10969, CVE-2020-10968, CVE-2020-10673, CVE-2020-10672, CVE-2019-16942, CVE-2019-16943, CVE-2019-17531). IBM Cognos Analytics is vulnerable to further attacks such remote code execution (RCE) and cross-site scripting (XSS) by not validating upload file types or user supplied data (CVE-2021-38945, CVE-2021-39047). IBM Cognos Analytics could allow a low level user to obtain sensitive information from the details of the Cloud Storage page for which they should not have access (CVE-2021-29768). ## Vulnerability Details ** CVEID: **[CVE-2021-27568](<https://vulners.com/cve/CVE-2021-27568>) ** DESCRIPTION: **Netplex json-smart-v1 and json-smart-v2 are vulnerable to a denial of service, caused by an uncaught exception flaw in NumberFormatException. By sending a specially-crafted input, a remote attacker could exploit this vulnerability to cause the library to crash or obtain sensitive information. CVSS Base score: 9.1 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/197316](<https://exchange.xforce.ibmcloud.com/vulnerabilities/197316>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H) ** CVEID: **[CVE-2021-35517](<https://vulners.com/cve/CVE-2021-35517>) ** DESCRIPTION: **Apache Commons Compress is vulnerable to a denial of service, caused by an out of memory error when allocating large amounts of memory. By persuading a victim to open a specially-crafted TAR archive, a remote attacker could exploit this vulnerability to cause a denial of service condition against services that use Compress' tar package. CVSS Base score: 5.5 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/205307](<https://exchange.xforce.ibmcloud.com/vulnerabilities/205307>) for the current score. CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) ** CVEID: **[CVE-2021-36090](<https://vulners.com/cve/CVE-2021-36090>) ** DESCRIPTION: **Apache Commons Compress is vulnerable to a denial of service, caused by an out-of-memory error when large amounts of memory are allocated. By reading a specially-crafted ZIP archive, a remote attacker could exploit this vulnerability to cause a denial of service condition against services that use Compress' zip package. CVSS Base score: 7.5 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/205310](<https://exchange.xforce.ibmcloud.com/vulnerabilities/205310>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) ** CVEID: **[CVE-2021-32798](<https://vulners.com/cve/CVE-2021-32798>) ** DESCRIPTION: **Jupyter notebook is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote authenticated attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. CVSS Base score: 6.4 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/207157](<https://exchange.xforce.ibmcloud.com/vulnerabilities/207157>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N) ** CVEID: **[CVE-2012-5785](<https://vulners.com/cve/CVE-2012-5785>) ** DESCRIPTION: **Apache Axis2/Java, as used in multiple products, could allow a remote attacker to conduct spoofing attacks, caused by the failure to verify that the server hostname matches a domain name in the subject's Common Name (CN) field of the X.509 certificate. An attacker could exploit this vulnerability using man-in-the-middle techniques to spoof an SSL server and launch further attacks against a vulnerable target. CVSS Base score: 4.3 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/79830](<https://exchange.xforce.ibmcloud.com/vulnerabilities/79830>) for the current score. CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) ** CVEID: **[CVE-2012-4418](<https://vulners.com/cve/CVE-2012-4418>) ** DESCRIPTION: **Apache Axis2 could allow a remote attacker to bypass security restrictions, caused by the improper verification of signed XML messages. An attacker could exploit this vulnerability using XML signature wrapping to construct specially-crafted messages and launch further attacks on the system. CVSS Base score: 6.8 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/78454](<https://exchange.xforce.ibmcloud.com/vulnerabilities/78454>) for the current score. CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:P) ** CVEID: **[CVE-2010-1632](<https://vulners.com/cve/CVE-2010-1632>) ** DESCRIPTION: **Apache Axis2/Java is vulnerable to a denial of service, caused by an error when handling XML DTD (Document Type Declaration) data. A remote attacker could exploit this vulnerability to obtain sensitive information or cause a denial of service. CVSS Base score: 5.8 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/59588](<https://exchange.xforce.ibmcloud.com/vulnerabilities/59588>) for the current score. CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:P) ** CVEID: **[CVE-2021-32797](<https://vulners.com/cve/CVE-2021-32797>) ** DESCRIPTION: **JupyterLab could allow a remote attacker to execute arbitrary code on the system, caused by the lack of sanitization of the action attribute of an HTML form. By persuading a victim to open a specially-crafted notebook, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 7.4 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/207158](<https://exchange.xforce.ibmcloud.com/vulnerabilities/207158>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N) ** CVEID: **[CVE-2021-39047](<https://vulners.com/cve/CVE-2021-39047>) ** DESCRIPTION: **Some IBM products are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. CVSS Base score: 6.1 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/214349](<https://exchange.xforce.ibmcloud.com/vulnerabilities/214349>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) ** CVEID: **[CVE-2020-9492](<https://vulners.com/cve/CVE-2020-9492>) ** DESCRIPTION: **Apache Hadoop could allow a remote authenticated attacker to gain elevated privileges on the system, caused by improper validation of SPNEGO authorization header. By sending a specially-crafted request, an authenticated attacker could exploit this vulnerability to gain elevated privileges to trigger services to send server credentials to a webhdfs path for capturing the service principal. CVSS Base score: 8.8 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/195656](<https://exchange.xforce.ibmcloud.com/vulnerabilities/195656>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) ** CVEID: **[CVE-2016-6811](<https://vulners.com/cve/CVE-2016-6811>) ** DESCRIPTION: **Apache Hadoop could allow a local attacker to gain elevated privileges on the system. By escalating to yarn user, an attacker could exploit this vulnerability to execute arbitrary commands on the system with root privileges. CVSS Base score: 8.4 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/142610](<https://exchange.xforce.ibmcloud.com/vulnerabilities/142610>) for the current score. CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) ** CVEID: **[CVE-2017-15713](<https://vulners.com/cve/CVE-2017-15713>) ** DESCRIPTION: **Apache Hadoop could allow a remote authenticated attacker to obtain sensitive information. By using a specially-crafted file, a remote attacker could exploit this vulnerability to expose private files. CVSS Base score: 4.3 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/138064](<https://exchange.xforce.ibmcloud.com/vulnerabilities/138064>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) ** CVEID: **[CVE-2017-15718](<https://vulners.com/cve/CVE-2017-15718>) ** DESCRIPTION: **Apache Hadoop could allow a remote attacker to obtain sensitive information, caused by a flaw in the YARN NodeManager. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to obtain user credentials. CVSS Base score: 5.3 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/138211](<https://exchange.xforce.ibmcloud.com/vulnerabilities/138211>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) ** CVEID: **[CVE-2017-3166](<https://vulners.com/cve/CVE-2017-3166>) ** DESCRIPTION: **Apache Hadoop could allow a remote authenticated attacker to gain elevated privileges on the system, caused by a flaw in the YARN's localization mechanism. By changing access permission to world readable in an encryption zone, an attacker could exploit this vulnerability to gain access to files protected by HDFS transparent encryption. CVSS Base score: 8.8 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/134627](<https://exchange.xforce.ibmcloud.com/vulnerabilities/134627>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) ** CVEID: **[CVE-2018-1296](<https://vulners.com/cve/CVE-2018-1296>) ** DESCRIPTION: **Apache Hadoop could allow a remote attacker to obtain sensitive information, caused by the exposure of extended attribute key/value pairs during listXAttrs authorization by HDFS. The path-level search access to the directory is verified instead of path-level read permission to the referent. An attacker could exploit this vulnerability to obtain HDFS encryption secrets and other sensitive information. CVSS Base score: 7.5 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/156090](<https://exchange.xforce.ibmcloud.com/vulnerabilities/156090>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) ** CVEID: **[CVE-2018-8029](<https://vulners.com/cve/CVE-2018-8029>) ** DESCRIPTION: **Apache Hadoop could allow a remote authenticated attacker to gain elevated privileges on the system. An attacker could exploit this vulnerability to run arbitrary commands as root user. CVSS Base score: 8.8 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/161812](<https://exchange.xforce.ibmcloud.com/vulnerabilities/161812>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) ** CVEID: **[CVE-2018-11766](<https://vulners.com/cve/CVE-2018-11766>) ** DESCRIPTION: **Apache Hadoop could allow a local attacker to gain elevated privileges on the system. By escalating to yarn user, an attacker could exploit this vulnerability to execute arbitrary commands on the system with root privileges. CVSS Base score: 8.4 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/153346](<https://exchange.xforce.ibmcloud.com/vulnerabilities/153346>) for the current score. CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) ** CVEID: **[CVE-2021-29768](<https://vulners.com/cve/CVE-2021-29768>) ** DESCRIPTION: **IBM Cognos Analytics could allow a low level user to obtain sensitive information from the details of the 'Cloud Storage' page for which they should not have access. CVSS Base score: 4.3 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/202682](<https://exchange.xforce.ibmcloud.com/vulnerabilities/202682>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) ** CVEID: **[CVE-2021-37136](<https://vulners.com/cve/CVE-2021-37136>) ** DESCRIPTION: **Netty netty-codec is vulnerable to a denial of service, caused by not allow size restrictions for decompressed data in the Bzip2Decoder. By sending a specially-crafted input, a remote attacker could exploit this vulnerability to cause a denial of service condition. CVSS Base score: 7.5 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/211777](<https://exchange.xforce.ibmcloud.com/vulnerabilities/211777>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) ** CVEID: **[CVE-2021-37137](<https://vulners.com/cve/CVE-2021-37137>) ** DESCRIPTION: **Netty netty-codec is vulnerable to a denial of service, caused by not restrict the chunk length in the SnappyFrameDecoder. By sending a specially-crafted input, a remote attacker could exploit this vulnerability to cause excessive memory usage, and results in a denial of service condition. CVSS Base score: 7.5 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/211779](<https://exchange.xforce.ibmcloud.com/vulnerabilities/211779>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) ** CVEID: **[CVE-2021-41184](<https://vulners.com/cve/CVE-2021-41184>) ** DESCRIPTION: **jQuery jQuery-UI is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the .position() function. A remote attacker could exploit this vulnerability using the of parameter to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. CVSS Base score: 7.2 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/212277](<https://exchange.xforce.ibmcloud.com/vulnerabilities/212277>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N) ** CVEID: **[CVE-2021-41183](<https://vulners.com/cve/CVE-2021-41183>) ** DESCRIPTION: **jQuery jQuery-UI is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the Datepicker widget. A remote attacker could exploit this vulnerability using the Text parameter to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. CVSS Base score: 7.2 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/212276](<https://exchange.xforce.ibmcloud.com/vulnerabilities/212276>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N) ** CVEID: **[CVE-2021-41182](<https://vulners.com/cve/CVE-2021-41182>) ** DESCRIPTION: **jQuery jQuery-UI is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the Datepicker widget. A remote attacker could exploit this vulnerability using the altField parameter to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. CVSS Base score: 7.2 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/212274](<https://exchange.xforce.ibmcloud.com/vulnerabilities/212274>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N) ** CVEID: **[CVE-2021-39239](<https://vulners.com/cve/CVE-2021-39239>) ** DESCRIPTION: **Apache Jena could allow a remote attacker to obtain sensitive information, caused by improper handling of XML external entity (XXE) declarations. By using a specially-crafted XML content, a remote attacker could exploit this vulnerability to read arbitrary files on the server. CVSS Base score: 7.5 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/209530](<https://exchange.xforce.ibmcloud.com/vulnerabilities/209530>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) ** CVEID: **[CVE-2021-38945](<https://vulners.com/cve/CVE-2021-38945>) ** DESCRIPTION: **IBM Cognos Analytics could allow a remote attacker to upload arbitrary files, caused by improper content validation. CVSS Base score: 6.3 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/211238](<https://exchange.xforce.ibmcloud.com/vulnerabilities/211238>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:N) ** CVEID: **[CVE-2017-18640](<https://vulners.com/cve/CVE-2017-18640>) ** DESCRIPTION: **SnakeYAML is vulnerable to a denial of service, caused by an entity expansion in Alias feature during a load operation. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause the application to crash. CVSS Base score: 5.3 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/174331](<https://exchange.xforce.ibmcloud.com/vulnerabilities/174331>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) ** CVEID: **[CVE-2020-10683](<https://vulners.com/cve/CVE-2020-10683>) ** DESCRIPTION: **dom4j could allow a remote authenticated attacker to obtain sensitive information, caused by an XML external entity (XXE) error when processing XML data. By sending specially crafted XML data, a remote attacker could exploit this vulnerability to obtain sensitive information. CVSS Base score: 5.3 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/181356](<https://exchange.xforce.ibmcloud.com/vulnerabilities/181356>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) ** CVEID: **[CVE-2021-20190](<https://vulners.com/cve/CVE-2021-20190>) ** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization between gadgets and typing, related to a class(es) of JDK Swing. By sending a specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 9.8 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/195243](<https://exchange.xforce.ibmcloud.com/vulnerabilities/195243>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) ** CVEID: **[CVE-2020-9548](<https://vulners.com/cve/CVE-2020-9548>) ** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by the mishandling of interaction between serialization gadgets and typing in br.com.anteros.dbcp.AnterosDBCPConfig (aka anteros-core). By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 9.8 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/177104](<https://exchange.xforce.ibmcloud.com/vulnerabilities/177104>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) ** CVEID: **[CVE-2020-9547](<https://vulners.com/cve/CVE-2020-9547>) ** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by the mishandling of interaction between serialization gadgets and typing in com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig (aka ibatis-sqlmap). By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 9.8 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/177103](<https://exchange.xforce.ibmcloud.com/vulnerabilities/177103>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) ** CVEID: **[CVE-2020-9546](<https://vulners.com/cve/CVE-2020-9546>) ** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by the mishandling of interaction between serialization gadgets and typing in org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig (aka shaded hikari-config). By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 9.8 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/177102](<https://exchange.xforce.ibmcloud.com/vulnerabilities/177102>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) ** CVEID: **[CVE-2020-8840](<https://vulners.com/cve/CVE-2020-8840>) ** DESCRIPTION: **An unspecified error with the lack of certain xbean-reflect/JNDI blocking in FasterXML jackson-databind has an unknown impact and attack vector. CVSS Base score: 5.3 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/176241](<https://exchange.xforce.ibmcloud.com/vulnerabilities/176241>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) ** CVEID: **[CVE-2020-36189](<https://vulners.com/cve/CVE-2020-36189>) ** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization between gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.DriverManagerConnectionSource. By sending a specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 9.8 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/194384](<https://exchange.xforce.ibmcloud.com/vulnerabilities/194384>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) ** CVEID: **[CVE-2020-36188](<https://vulners.com/cve/CVE-2020-36188>) ** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization between gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.JNDIConnectionSource. By sending a specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 9.8 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/194383](<https://exchange.xforce.ibmcloud.com/vulnerabilities/194383>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) ** CVEID: **[CVE-2020-36187](<https://vulners.com/cve/CVE-2020-36187>) ** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization between gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.SharedPoolDataSource. By sending a specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 9.8 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/194382](<https://exchange.xforce.ibmcloud.com/vulnerabilities/194382>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) ** CVEID: **[CVE-2020-36186](<https://vulners.com/cve/CVE-2020-36186>) ** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization between gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.PerUserPoolDataSource. By sending a specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 9.8 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/194381](<https://exchange.xforce.ibmcloud.com/vulnerabilities/194381>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) ** CVEID: **[CVE-2020-36185](<https://vulners.com/cve/CVE-2020-36185>) ** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization between gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.SharedPoolDataSource. By sending a specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 9.8 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/194380](<https://exchange.xforce.ibmcloud.com/vulnerabilities/194380>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) ** CVEID: **[CVE-2020-36184](<https://vulners.com/cve/CVE-2020-36184>) ** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization between gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource. By sending a specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 9.8 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/194379](<https://exchange.xforce.ibmcloud.com/vulnerabilities/194379>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) ** CVEID: **[CVE-2020-36183](<https://vulners.com/cve/CVE-2020-36183>) ** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization between gadgets and typing, related to org.docx4j.org.apache.xalan.lib.sql.JNDIConnectionPool. By sending a specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 9.8 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/194378](<https://exchange.xforce.ibmcloud.com/vulnerabilities/194378>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) ** CVEID: **[CVE-2020-36182](<https://vulners.com/cve/CVE-2020-36182>) ** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization between gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.cpdsadapter.DriverAdapterCPDS. By sending a specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 9.8 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/194377](<https://exchange.xforce.ibmcloud.com/vulnerabilities/194377>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) ** CVEID: **[CVE-2020-36181](<https://vulners.com/cve/CVE-2020-36181>) ** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization between gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.cpdsadapter.DriverAdapterCPDS. By sending a specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 9.8 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/194376](<https://exchange.xforce.ibmcloud.com/vulnerabilities/194376>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) ** CVEID: **[CVE-2020-36180](<https://vulners.com/cve/CVE-2020-36180>) ** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization between gadgets and typing, related to org.apache.commons.dbcp2.cpdsadapter.DriverAdapterCPDS. By sending a specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 9.8 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/194375](<https://exchange.xforce.ibmcloud.com/vulnerabilities/194375>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) ** CVEID: **[CVE-2020-36179](<https://vulners.com/cve/CVE-2020-36179>) ** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization between gadgets and typing, related to oadd.org.apache.commons.dbcp.cpdsadapter.DriverAdapterCPDS. By sending a specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 9.8 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/194374](<https://exchange.xforce.ibmcloud.com/vulnerabilities/194374>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) ** CVEID: **[CVE-2020-35728](<https://vulners.com/cve/CVE-2020-35728>) ** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization between gadgets and typing, related to com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool. By sending a specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 8.1 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/193843](<https://exchange.xforce.ibmcloud.com/vulnerabilities/193843>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) ** CVEID: **[CVE-2020-35491](<https://vulners.com/cve/CVE-2020-35491>) ** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization between gadgets and typing, related to org.apache.commons.dbcp2.datasources.SharedPoolDataSource. By sending specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 8.1 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/193394](<https://exchange.xforce.ibmcloud.com/vulnerabilities/193394>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) ** CVEID: **[CVE-2020-35490](<https://vulners.com/cve/CVE-2020-35490>) ** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization between gadgets and typing, related to org.apache.commons.dbcp2.datasources.PerUserPoolDataSource. By sending a specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 8.1 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/193391](<https://exchange.xforce.ibmcloud.com/vulnerabilities/193391>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) ** CVEID: **[CVE-2020-25649](<https://vulners.com/cve/CVE-2020-25649>) ** DESCRIPTION: **FasterXML Jackson Databind could provide weaker than expected security, caused by not having entity expansion secured properly. A remote attacker could exploit this vulnerability to launch XML external entity (XXE) attacks to have impact over data integrity. CVSS Base score: 7.5 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/192648](<https://exchange.xforce.ibmcloud.com/vulnerabilities/192648>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N) ** CVEID: **[CVE-2020-24750](<https://vulners.com/cve/CVE-2020-24750>) ** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization between gadgets and typing, related to com.pastdev.httpcomponents.configuration.JndiConfiguration. By sending specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 9.8 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/188470](<https://exchange.xforce.ibmcloud.com/vulnerabilities/188470>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) ** CVEID: **[CVE-2020-24616](<https://vulners.com/cve/CVE-2020-24616>) ** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization between gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPDataSource (aka Anteros-DBCP). By sending specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 9.8 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/187229](<https://exchange.xforce.ibmcloud.com/vulnerabilities/187229>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) ** CVEID: **[CVE-2020-14195](<https://vulners.com/cve/CVE-2020-14195>) ** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization in rg.jsecurity.realm.jndi.JndiRealmFactory (aka org.jsecurity). By sending specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 9.8 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/183495](<https://exchange.xforce.ibmcloud.com/vulnerabilities/183495>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) ** CVEID: **[CVE-2020-14062](<https://vulners.com/cve/CVE-2020-14062>) ** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization in com.sun.org.apache.xalan.internal.lib.sql.JNDIConnectionPool (aka xalan2). By sending specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 9.8 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/183425](<https://exchange.xforce.ibmcloud.com/vulnerabilities/183425>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) ** CVEID: **[CVE-2020-14061](<https://vulners.com/cve/CVE-2020-14061>) ** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization in oracle.jms.AQjmsQueueConnectionFactory, oracle.jms.AQjmsXATopicConnectionFactory, oracle.jms.AQjmsTopicConnectionFactory, oracle.jms.AQjmsXAQueueConnectionFactory, and oracle.jms.AQjmsXAConnectionFactory (aka weblogic/oracle-aqjms). By sending specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 9.8 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/183424](<https://exchange.xforce.ibmcloud.com/vulnerabilities/183424>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) ** CVEID: **[CVE-2020-14060](<https://vulners.com/cve/CVE-2020-14060>) ** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization in oadd.org.apache.xalan.lib.sql.JNDIConnectionPool (aka apache/drill). By sending specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 9.8 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/183422](<https://exchange.xforce.ibmcloud.com/vulnerabilities/183422>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) ** CVEID: **[CVE-2020-11620](<https://vulners.com/cve/CVE-2020-11620>) ** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization in org.apache.commons.jelly.impl.Embedded (aka commons-jelly). By sending specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 9.8 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/179431](<https://exchange.xforce.ibmcloud.com/vulnerabilities/179431>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) ** CVEID: **[CVE-2020-11619](<https://vulners.com/cve/CVE-2020-11619>) ** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization in org.springframework.aop.config.MethodLocatingFactoryBean (aka spring-aop). By sending specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 9.8 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/179430](<https://exchange.xforce.ibmcloud.com/vulnerabilities/179430>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) ** CVEID: **[CVE-2020-11113](<https://vulners.com/cve/CVE-2020-11113>) ** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization in org.apache.openjpa.ee.WASRegistryManagedRuntime (aka openjpa). By sending specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 9.8 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/178903](<https://exchange.xforce.ibmcloud.com/vulnerabilities/178903>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) ** CVEID: **[CVE-2020-11112](<https://vulners.com/cve/CVE-2020-11112>) ** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization in org.apache.commons.proxy.provider.remoting.RmiProvider (aka apache/commons-proxy). By sending specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 9.8 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/178902](<https://exchange.xforce.ibmcloud.com/vulnerabilities/178902>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) ** CVEID: **[CVE-2020-11111](<https://vulners.com/cve/CVE-2020-11111>) ** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization in org.apache.activemq.* (aka activemq-jms, activemq-core, activemq-pool, and activemq-pool-jms). By sending specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 9.8 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/178901](<https://exchange.xforce.ibmcloud.com/vulnerabilities/178901>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) ** CVEID: **[CVE-2020-10969](<https://vulners.com/cve/CVE-2020-10969>) ** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization in javax.swing.JEditorPane. By sending specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 9.8 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/178546](<https://exchange.xforce.ibmcloud.com/vulnerabilities/178546>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) ** CVEID: **[CVE-2020-10968](<https://vulners.com/cve/CVE-2020-10968>) ** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization in org.aoju.bus.proxy.provider.remoting.RmiProvider (aka bus-proxy). By sending specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 9.8 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/178544](<https://exchange.xforce.ibmcloud.com/vulnerabilities/178544>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) ** CVEID: **[CVE-2020-10673](<https://vulners.com/cve/CVE-2020-10673>) ** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization in com.caucho.config.types.ResourceRef (aka caucho-quercus). By sending specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 9.8 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/178107](<https://exchange.xforce.ibmcloud.com/vulnerabilities/178107>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) ** CVEID: **[CVE-2020-10672](<https://vulners.com/cve/CVE-2020-10672>) ** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization in org.apache.aries.transaction.jms.internal.XaPooledConnectionFactory (aka aries.transaction.jms). By sending specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 9.8 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/178104](<https://exchange.xforce.ibmcloud.com/vulnerabilities/178104>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) ** CVEID: **[CVE-2019-16942](<https://vulners.com/cve/CVE-2019-16942>) ** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by a polymorphic typing issue in the commons-dbcp class. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 9.8 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/168254](<https://exchange.xforce.ibmcloud.com/vulnerabilities/168254>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) ** CVEID: **[CVE-2019-16943](<https://vulners.com/cve/CVE-2019-16943>) ** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by a polymorphic typing issue in the p6spy class. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 9.8 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/168255](<https://exchange.xforce.ibmcloud.com/vulnerabilities/168255>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) ** CVEID: **[CVE-2019-17531](<https://vulners.com/cve/CVE-2019-17531>) ** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by a polymorphic typing issue when Default Typing is enabled. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 9.8 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/169073](<https://exchange.xforce.ibmcloud.com/vulnerabilities/169073>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) ** CVEID: **[CVE-2021-41165](<https://vulners.com/cve/CVE-2021-41165>) ** DESCRIPTION: **CKEditor4 is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote authenticated attacker could exploit this vulnerability using the core HTML processing module to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. CVSS Base score: 8.2 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/213846](<https://exchange.xforce.ibmcloud.com/vulnerabilities/213846>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:L) ** CVEID: **[CVE-2021-41164](<https://vulners.com/cve/CVE-2021-41164>) ** DESCRIPTION: **CKEditor4 is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote authenticated attacker could exploit this vulnerability using the Advanced Content Filter (ACF) module to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. CVSS Base score: 8.2 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/213847](<https://exchange.xforce.ibmcloud.com/vulnerabilities/213847>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:L) ## Affected Products and Versions [IBM](<https://www.ibm.com/support/pages/node/6587162> "IBM" ) Cognos Analytics 11.2.x IBM Cognos Analytics 11.1.x ## Remediation/Fixes **Affected Version**| **Fix Version** ---|--- IBM Cognos Analytics 11.2.x| [Downloading IBM Cognos Analytics 11.2.2](<https://www.ibm.com/support/pages/node/6564061> "Downloading IBM Cognos Analytics 11.2.2" ) IBM Cognos Analytics 11.1.x| [IBM Cognos Analytics 11.1.7 Fix Pack 5](<https://www.ibm.com/support/pages/node/6587162> "IBM Cognos Analytics 11.1.7 Fix Pack 5" ) **IBM Cognos Analytics on Cloud** These vulnerabilities have been remediated on all IBM Cognos Analytics on Cloud environments and no further action is required. ## Workarounds and Mitigations None ##


Affected Software


CPE Name Name Version
cognos analytics 11.2.1
cognos analytics 11.2.0
cognos analytics 11.1.7

Related


debian
unix

[SECURITY] [DLA 2638-1] jackson-databind security update

2021-04-24T20:50:12
debian
unix

[SECURITY] [DLA 2638-1] jackson-databind security update

2021-04-24T20:50:12
debian
unix

[SECURITY] [DLA 2179-1] jackson-databind security update

2020-04-17T23:51:40
debian
unix

[SECURITY] [DLA 2179-1] jackson-databind security update

2020-04-17T23:51:40
debian
unix

[SECURITY] [DLA 2270-1] jackson-databind security update

2020-07-01T12:28:47
debian
unix

[SECURITY] [DLA 2270-1] jackson-databind security update

2020-07-01T12:28:47
debian
unix

[SECURITY] [DLA 2135-1] jackson-databind security update

2020-03-05T22:55:37
debian
unix

[SECURITY] [DLA 2135-1] jackson-databind security update

2020-03-05T22:55:37
debian
unix

[SECURITY] [DLA 3230-1] jqueryui security update

2022-12-07T10:30:00
debian
unix

[SECURITY] [DLA 2153-1] jackson-databind security update

2020-03-22T12:03:56
debian
unix

[SECURITY] [DLA 2153-1] jackson-databind security update

2020-03-22T12:03:56
osv
software

jackson-databind - security update

2021-04-25T00:00:00
osv
software

jackson-databind - security update

2020-04-18T00:00:00
osv
software

jackson-databind - security update

2020-07-01T00:00:00
osv
software

jackson-databind - security update

2020-03-06T00:00:00
osv
software

jqueryui - security update

2022-12-07T00:00:00
osv
software

Arbitrary Command Execution in Hadoop

2018-12-21T17:50:26
osv
software

jackson-databind - security update

2020-03-22T00:00:00
osv
software

drupal7 - security update

2022-01-19T00:00:00
nessus
scanner

Debian DLA-2638-1 : jackson-databind security update

2021-04-27T00:00:00
nessus
scanner

Debian DLA-2179-1 : jackson-databind security update

2020-04-20T00:00:00
nessus
scanner

Oracle Primavera Unifier Multiple Vulnerabilities (Jul 2020 CPU)

2020-07-15T00:00:00
nessus
scanner

FreeBSD : puppetdb -- Multiple vulnerabilities (10e3ed8a-db7f-11ea-8bdf-643150d3111d)

2020-08-11T00:00:00
nessus
scanner

RHEL 7 : rh-maven35-jackson-databind (RHSA-2020:1523)

2023-01-23T00:00:00
nessus
scanner

CentOS 8 : pki-core:10.6 and pki-deps:10.6 (CESA-2020:1644)

2021-02-01T00:00:00
nessus
scanner

RHEL 8 : pki-core:10.6 and pki-deps:10.6 (RHSA-2020:1644)

2020-04-28T00:00:00
nessus
scanner

Debian DLA-2270-1 : jackson-databind security update

2020-07-02T00:00:00
nessus
scanner

Fedora 28 : hadoop (2018-e5a8b72d0d)

2019-01-03T00:00:00
nessus
scanner

openSUSE Security Update : jackson-databind (openSUSE-2021-221)

2021-02-04T00:00:00
nessus
scanner

Debian DLA-2135-1 : jackson-databind security update

2020-03-06T00:00:00
nessus
scanner

JQuery UI < 1.13.0 Multiple XSS

2021-12-31T00:00:00
nessus
scanner

jQuery UI < 1.13.0 Multiple Vulnerabilities

2021-11-04T00:00:00
nessus
scanner

Drupal 8.9.x < 8.9.20 / 9.1.x < 9.1.14 / 9.2.x < 9.2.9 Multiple Vulnerabilities (drupal-2021-11-17)

2021-11-18T00:00:00
nessus
scanner

Drupal 9.2.x < 9.2.9 Cross-Site Scripting

2021-11-25T00:00:00
nessus
scanner

Drupal 9.1.x < 9.1.14 Cross-Site Scripting

2021-11-25T00:00:00
nessus
scanner

Drupal 8.9.x < 8.9.20 Cross-Site Scripting

2021-11-25T00:00:00
nessus
scanner

Debian DLA-3230-1 : jqueryui - LTS security update

2022-12-08T00:00:00
nessus
scanner

RHEL 7 : rh-maven35-jackson-databind (RHSA-2020:2320)

2023-01-23T00:00:00
nessus
scanner

Debian DLA-2153-1 : jackson-databind security update

2020-03-23T00:00:00
nessus
scanner

Drupal 7.x < 7.86 / 9.2.x < 9.2.11 / 9.3.x < 9.3.3 Multiple Vulnerabilities (drupal-2022-01-19)

2022-01-19T00:00:00
nessus
scanner

RHEL 7 : Satellite 6.8 release (Important) (RHSA-2020:4366)

2020-11-04T00:00:00
nessus
scanner

RHEL 8 : RHV Manager (ovirt-engine) [ovirt-4.5.0] (RHSA-2022:4711)

2022-05-27T00:00:00
nessus
scanner

Oracle Primavera Gateway (Apr 2020 CPU)

2020-04-15T00:00:00
nessus
scanner

Fedora 36 : ckeditor (2022-b61dfd219b)

2022-12-21T00:00:00
nessus
scanner

RHEL 6 : Red Hat JBoss Enterprise Application Platform 7.2.9 on RHEL 6 (RHSA-2020:3637)

2020-09-08T00:00:00
nessus
scanner

RHEL 7 : Red Hat JBoss Enterprise Application Platform 7.2.9 on RHEL 7 (RHSA-2020:3638)

2020-09-08T00:00:00
nessus
scanner

RHEL 8 : Red Hat JBoss Enterprise Application Platform 7.2.9 on RHEL 8 (RHSA-2020:3639)

2020-09-08T00:00:00
nessus
scanner

Fedora 35 : drupal7 (2022-bf18450366)

2022-12-22T00:00:00
nessus
scanner

Tenable Nessus 10.x < 10.4.0 Multiple Vulnerabilities (TNS-2022-21)

2022-10-28T00:00:00
nessus
scanner

Nessus Network Monitor < 6.0.1 Multiple Vulnerabilities (TNS-2022-10)

2022-05-16T00:00:00
nessus
scanner

Fedora 36 : drupal7 (2022-9d655503ea)

2022-12-23T00:00:00
nessus
scanner

Oracle WebCenter Portal Multiple Vulnerabilities (Apr 2022 CPU)

2022-04-20T00:00:00
ibm
software

Security Bulletin: IBM Security Guardium is affected by a jackson-databind vulnerability

2021-11-04T17:59:20
ibm
software

Security Bulletin: Multiple Security Vulnerabilities in Jackson-Databind Affects IBM Sterling B2B Integrator

2022-05-13T14:58:22
ibm
software

Security Bulletin: Vulnerabilities in Jackson, jQuery, and Dom4j affect IBM Spectrum Copy Data Management

2021-12-10T23:20:45
ibm
software

Security Bulletin: IBM Network Performance Insight 1.3.1 was affected by multiple vulnerabilities in jackson-databind

2021-03-16T11:30:19
ibm
software

Security Bulletin: jackson-databind vulnerabilities CVE-2020-36185/36181/36189/36188/36184/36180 impacts IBM Aspera High-Speed Transfer Server and Aspera High-Speed Transfer Endpoint versions prior to V4.0

2021-02-01T21:53:12
ibm
software

Security Bulletin: IBM Cloud Private is vulnerable to FasterXML jackson-databind vulnerabilities

2022-02-07T17:35:59
ibm
software

Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in FasterXML jackson-databind

2020-08-29T08:58:37
ibm
software

Security Bulletin: Multiple Vulnerabilities in jackson-databind shipped with IBM Cloud Pak System

2022-08-11T13:19:32
ibm
software

Security Bulletin: Series of vulnerabilities in FasterXML jackson-databind affect Apache Solr shipped with IBM Operations Analytics - Log Analysis

2021-04-22T05:30:31
ibm
software

Security Bulletin: Jackson-Databind Vulnerabilities Affect the B2B API of IBM Sterling B2B Integrator

2021-10-06T14:34:14
ibm
software

Security Bulletin: Vulnerabilities in Faster-XML jackson-databind affect IBM Operations Analytics Predictive Insights

2020-08-31T13:36:05
ibm
software

Security Bulletin: Vulnerabilities in Faster-XML jackson-databind affects IBM Operations Analytics Predictive Insights

2020-08-31T13:34:25
ibm
software

Security Bulletin: Vulnerabilities in Faster-XML jackson-databind affect IBM Operations Analytics Predictive Insights

2020-08-31T13:35:32
ibm
software

Security Bulletin: Vulnerabilities in Faster-XML jackson-databind affect IBM Operations Analytics Predictive Insights

2020-08-31T13:34:49
ibm
software

Security Bulletin: Vulnerabilities in Faster-XML jackson-databind affect IBM Operations Analytics Predictive Insights

2020-08-31T13:37:18
ibm
software

Security Bulletin: Multiple Security Vulnerabilities in Jackson-Databind Affect IBM Sterling B2B Integrator

2022-05-13T14:58:22
ibm
software

Security Bulletin: IBM Cloud Pak for Multicloud Management Monitoring has patched several open source dependencies

2021-12-18T15:42:03
ibm
software

Security Bulletin: Vulnerabilities in Node.js and FasterXML jackson-databind affect IBM Spectrum Protect Plus

2021-02-09T09:58:25
ibm
software

Security Bulletin: Vulnerabilities in Faster-XML jackson-databind affect IBM Spectrum Protect Plus (CVE-2020-10673, CVE-2020-1112, CVE-2020-11113, CVE-2020-10672, CVE-2020-10968, CVE-2020-10969, CVE-2020-11619, CVE-2020-11111, CVE-2020-11620)

2020-07-17T21:15:57
ibm
software

Security Bulletin: Vulnerability in jackson-databind affects IBM Process Mining (Multiple CVEs)

2023-02-01T21:46:21
ibm
software

Security Bulletin: IBM Security Verify Governance is vulnerable to a denial of service caused by multiple vulnerabilities.

2023-04-13T10:31:50
ibm
software

Security Bulletin: Multiple vulnerabilities in Data-Binding for Jackson shipped with IBM Operations Analytics - Log Analysis

2022-11-22T08:08:05
ibm
software

Security Bulletin: Multiple Security Vulnerabilities in Jackson-databind Affect IBM Sterling B2B Integrator

2020-07-24T17:07:55
ibm
software

Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in FasterXML jackson-databind

2020-06-19T05:07:08
ibm
software

Security Bulletin: z/Transaction Processing Facility is affected by multiple vulnerabilities in the jackson-databind, jackson-dataformat-xml, jackson-core, slf4j-ext, and cxf-core packages

2022-10-10T22:34:34
ibm
software

Security Bulletin: Vulnerabilities in FasterXML jackson-databind affect IBM Spectrum Protect Plus (CVE-2020-9548, CVE-2020-9546. CVE-2020-9547, CVE-2020-8840, CVE-2019-20330)

2020-06-12T20:29:44
ibm
software

Security Bulletin: IBM Security Guardium is affected by a jackson-databind vulnerability

2020-10-13T15:50:09
ibm
software

Security Bulletin: Multiple vulnerabilities in jackson-databind affect IBM Platform Symphony and IBM Spectrum Symphony

2020-04-10T01:55:37
ibm
software

Security Bulletin: jackson-databind (Publicly disclosed vulnerability) found in Network Performance Insight

2020-08-04T18:51:02
ibm
software

Security Bulletin: IBM Sterling Control Center vulnerable to arbitrary file upload and sensitive information exposure due to IBM Cognos Analytics (CVE-2021-38945, CVE-2021-29768)

2022-07-25T12:56:22
ibm
software

Security Bulletin: Multiple vulnerabilities in jQuery-UI affect IBM Tivoli Netcool Impact (CVE-2021-41182, CVE-2021-41183, CVE-2021-41184)

2021-12-10T10:54:12
ibm
software

Security Bulletin: IBM Aspera Orchestrator was vulnerable to cross-site scripting due to multiple JQuery vulnerabilities (CVE-2021-41184, CVE-2021-41183, CVE-2021-41182)

2023-02-02T20:55:36
ibm
software

Security Bulletin: IBM Security QRadar SOAR is using a component vulnerable to Cross Site Scripting (CVE-2021-41182, CVE-2021-41183, CVE-2021-41184)

2022-03-03T17:06:48
ibm
software

Security Bulletin: API Connect is vulnerable to JQuery-UI Cross-Site Scripting (XSS) (CVE-2021-41184, CVE-2021-41183, CVE-2021-41182)

2022-10-21T22:13:58
ibm
software

Security Bulletin: IBM Disconnected Log Collector is vulnerable to using components with known vulnerabilities

2022-06-16T21:33:31
ibm
software

Security Bulletin: Multiple CVEs affect IBM Integration Designer

2023-02-01T19:40:57
ibm
software

Security Bulletin: Multiple vulnerabilities affects IBM Jazz Foundation and IBM Engineering products.

2020-08-03T22:41:05
ibm
software

Security Bulletin: IBM Planning Analytics Workspace is affected by security vulnerabilities

2022-02-18T20:23:11
ibm
software

Security Bulletin: Multiple vulnerabilities in Apache Hadoop affect Apache Solr shipped with IBM Operations Analytics - Log Analysis

2021-04-19T08:33:47
ibm
software

Security Bulletin: IBM Engineering Workflow Management (EWM) vulnerabilities CVE-2021-41182, CVE-2022-31160, CVE-2021-41184, CVE-2021-41183

2023-03-27T17:00:47
ibm
software

Security Bulletin: Multiple vulnerabilities in jackson-databind affect IBM Platform Symphony and IBM Spectrum Symphony

2019-12-17T02:33:42
ibm
software

Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in FasterXML jackson-databind

2021-02-27T03:41:33
ibm
software

Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in Netty

2021-12-17T04:21:56
ibm
software

Security Bulletin: IBM Sterling B2B Integrator is vulnerable to denial of service due to Netty (CVE-2021-37136, CVE-2021-37137)

2023-02-01T15:51:44
ibm
software

Security Bulletin: Operations Dashboard is vulnerable to Netty vulnerabilities CVE-2021-37136 and CVE-2021-37137

2022-01-13T15:47:30
ibm
software

Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in FasterXML jackson-databind

2019-12-20T08:47:33
ibm
software

Security Bulletin: Vulnerabilities exist in Watson Explorer (CVE-2021-35517, CVE-2021-36090)

2021-10-22T11:51:18
ibm
software

Security Bulletin: Multiple Websphere Vulnerabilities Impact IBM Control Center (CVE-2021-35517, CVE-2021-36090)

2021-10-14T21:10:00
ibm
software

Security Bulletin: Integrated application server and integrated web services for IBM i are affected by CVE-2021-35517 and CVE-2021-36090

2021-09-24T22:36:57
ibm
software

Security Bulletin: Multiple Vulnerabilities in WebSphere Liberty affecting Watson Knowledge Catalog for IBM Cloud Pak for Data

2022-06-22T17:20:36
ibm
software

Security Bulletin: Security vulnerabilities have been identified in IBM WebSphere Application Server Liberty used by IBM Match 360

2021-11-30T17:02:41
ibm
software

Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in Apache Commons Compress

2021-11-30T16:27:39
ibm
software

Security Bulletin: Novalink is impacted by Vulnerabilities in Apache Commons Compress affect WebSphere Application Server (CVE-2021-35517, CVE-2021-36090)

2021-12-13T10:01:39
ibm
software

Security Bulletin: Multiple vulnerabilities in Apache Commons Compress affect IBM Tivoli Netcool Impact (CVE-2021-35517, CVE-2021-36090)

2021-12-10T10:58:54
ibm
software

Security Bulletin: Rational Asset Analyzer is affected by vulnerabilities in WebSphere Application Server Liberty.

2021-12-14T03:31:04
ibm
software

Security Bulletin: IBM WebSphere Application Server Liberty vulnerabilities affect IBM Spectrum Protect Backup-Archive Client, IBM Spectrum Protect for Virtual Environments, and IBM Spectrum Protect for Space Management (CVE-2021-35517, CVE-2021-36090)

2022-03-14T21:48:00
ibm
software

Security Bulletin: Multiple Vulnerabilities in WebSphere Application Server Liberty affect IBM Virtualization Engine TS7700 (CVE-2021-35517, CVE-2021-36090)

2022-03-07T19:40:28
ibm
software

Security Bulletin: Multiple vulnerabilities in IBM Websphere Application Server affect the IBM Performance Management product

2021-12-18T02:14:17
ibm
software

Security Bulletin: IBM Cloud Pak for Multicloud Management Monitoring has applied security fixes for its use of IBM Websphere Liberty (CVE-2021-35517, CVE-2021-36090)

2022-03-16T14:14:05
ibm
software

Security Bulletin: Security Vulnerabilities affect IBM Cloud Private - Apache Commons Compress (CVE-2021-35517, CVE-2021-36090)

2022-04-22T19:56:13
ibm
software

Security Bulletin: Multiple Vulnerabilities in Apache Commons Compress affect WebSphere Application Server

2021-12-10T22:56:24
ibm
software

Security Bulletin: Multiple security vulnerabilities have been identified in IBM® WebSphere Application Server Liberty shipped with IBM Security Directory Suite

2022-02-08T19:38:43
ibm
software

Security Bulletin: Multiple Vulnerabilities in Apache Commons Compress affect WebSphere Application Server used by IBM Maximo Application Suite

2023-04-19T19:44:58
ibm
software

Security Bulletin: Multiple Vulnerabilities in WebSphere Application Server Liberty affect IBM Operations Analytics - Log Analysis (CVE-2021-35517, CVE-2021-36090)

2021-11-29T11:06:24
ibm
software

Security Bulletin: Security vulnerabilities in Apache Commons Compress affects IBM License Metric Tool v9.

2021-12-17T17:05:57
ibm
software

Security Bulletin: Multiple vulnerabilities in Jquery-Ui, highcharts, and datatables are affecting QRadar User Behavior Analytics (CVE-2021-41182, CVE-2021-41183, CVE-2021-41184, CVE-2021-23445, CVE-2021-29489)

2022-08-05T22:43:15
ibm
software

Security Bulletin: IBM Security Guardium Insights is affected by Components with known vulnerabilities

2021-10-06T12:30:35
ibm
software

Security Bulletin: IBM Data Risk Manager is affected by multiple vulnerabilities

2020-07-02T19:10:46
ibm
software

Security Bulletin: Jackson vulnerabilities affect IBM Operations Analytics Predictive Insights (CVE-2019-14060, CVE-2019-14661, CVE-2019-14662)

2020-08-31T13:37:36
ibm
software

Security Bulletin: Vulnerabilities in Faster-XML jackson affect IBM Operations Analytics Predictive Insights (CVE-2019-14060, CVE-2019-14661, CVE-2019-14662)

2020-08-31T13:35:09
ibm
software

Security Bulletin: Vulnerabilities in Faster-XML jackson databind affects IBM Operations Analytics Predictive Insights (CVE-2019-14060, CVE-2019-14661, CVE-2019-14662)

2020-08-12T15:08:34
ibm
software

Security Bulletin: Vulnerabilities in Jackson-databind affect IBM Operations Analytics Predictive Insights (CVE-2019-14060, CVE-2019-14661, CVE-2019-14662)

2020-08-31T13:36:30
ibm
software

Security Bulletin: Vulnerabilities in Jackson-databind (excludes most polymorphic typing gadget attacks) affect IBM Operations Analytics Predictive Insights (CVE-2019-14060, CVE-2019-14661, CVE-2019-14662)

2020-08-31T13:36:54
ibm
software

Security Bulletin: Multiple security vulnerabilities have been Identified In Jackson Databind library shipped with IBM Global Mailbox

2020-07-24T17:07:55
ibm
software

Security Bulletin: IBM Cloud Pak for Multicloud Management Monitoring is vulnerable to several attack vectors due to its use of Apache Netty (CVE-2021-37136, CVE-2021-37137, CVE-2021-43797)

2022-06-29T14:09:50
ibm
software

Security Bulletin: Multiple vulnerabilities have been identified in open source software shipped with IBM Tivoli Netcool/OMNIbus Transport Module Common Integration Library

2021-12-11T00:21:57
ibm
software

Security Bulletin: Multiple Vulnerabilities in Apache Commons Compress affect WebSphere Application Server which is bundled with IBM WebSphere Hybrid Edition (CVE-2021-33517, CVE-2021-36090)

2022-01-05T21:19:38
ibm
software

Security Bulletin: Security vulnerabilities ( CVE-2021-36090, CVE-2021-35517 ) in Apache Commons Compress affect WebSphere Application Server Liberty Profile, shipped with IBM Operations Analytics Predictive Insights

2021-12-15T19:33:19
ibm
software

Security Bulletin: Multiple Vulnerabilities in Apache Commons Compress affect Liberty for Java for IBM Cloud (CVE-2021-33517, CVE-2021-36090)

2022-10-07T16:01:56
ibm
software

Security Bulletin: Multiple Vulnerabilities in Apache Commons Compress affect WebSphere Application Server Liberty (CVE-2021-33517, CVE-2021-36090)

2021-09-15T22:19:29
ibm
software

Security Bulletin: A vulnerability in Liberty affects IBM WIoTP MessageGateway (CVE-2021-29842)

2021-12-24T16:01:38
ibm
software

Security Bulletin: Multiple Vulnerabilities in Apache Commons Compress affect WebSphere Application Server & WAS Liberty is vulnerable to Information Exposure

2022-03-31T06:39:36
ibm
software

Security Bulletin: Multiple vulnerabilities in WebSphere Application Server Liberty affect IBM InfoSphere Information Server

2022-04-27T23:07:49
ibm
software

Security Bulletin: Vulnerabilities in IBM Java Runtime and IBM WebSphere Application Server Liberty affect IBM Operations Center and Client Management Service (CVE-2021-35578, CVE-2021-35517, CVE-2021-36090)

2022-03-12T00:05:06
ibm
software

Security Bulletin: Vulnerabilities in jQuery, Spring, Dom4j, MongoDB, Linux Kernel, Targetcli-fb, Jackson, Node.js, and Apache Commons affect IBM Spectrum Protect Plus

2020-11-20T20:41:06
ibm
software

Security Bulletin: EBICS Client of IBM Sterling B2B Interator vulnerable to multiple issues due to jQuery

2023-03-13T16:37:51
openvas
scanner

Debian LTS: Security Advisory for jackson-databind (DLA-2179-1)

2020-04-18T00:00:00
openvas
scanner

Debian LTS: Security Advisory for jackson-databind (DLA-2270-1)

2020-07-02T00:00:00
openvas
scanner

Fedora Update for hadoop FEDORA-2018-e5a8b72d0d

2018-07-15T00:00:00
openvas
scanner

Debian LTS: Security Advisory for jackson-databind (DLA-2135-1)

2020-03-06T00:00:00
openvas
scanner

Apache Hadoop < 2.7.7 Privilege Escalation Vulnerability

2018-12-05T00:00:00
openvas
scanner

Debian LTS: Security Advisory for jackson-databind (DLA-2153-1)

2020-03-23T00:00:00
openvas
scanner

Apache Axis2 1.6.2 Multiple Vulnerabilities

2015-03-17T00:00:00
openvas
scanner

Fedora Update for hadoop FEDORA-2018-f1f44e4c6d

2018-12-13T00:00:00
openvas
scanner

Fedora Update for hadoop FEDORA-2018-beec9e3fda

2019-05-07T00:00:00
mageia
unix

Updated jackson-databind packages fix security vulnerabilities

2021-03-27T14:27:02
redhat
unix

(RHSA-2021:1230) Important: OpenShift Container Platform 4.6.26 security and extras update

2021-04-27T08:48:32
redhat
unix

(RHSA-2020:1523) Important: rh-maven35-jackson-databind security update

2020-04-21T11:44:53
redhat
unix

(RHSA-2020:1644) Moderate: pki-core:10.6 and pki-deps:10.6 security, bug fix, and enhancement update

2020-04-28T09:00:20
redhat
unix

(RHSA-2021:1515) Important: Openshift Logging Bug Fix Release (5.0.3)

2021-05-06T13:33:56
redhat
unix

(RHSA-2020:5625) Moderate: Red Hat Single Sign-On 7.4.0 security update

2020-12-17T16:36:27
redhat
unix

(RHSA-2020:3196) Important: Red Hat Decision Manager 7.8.0 Security Update

2020-07-29T06:02:59
redhat
unix

(RHSA-2020:3779) Important: Red Hat Data Grid 7.3.7 security update

2020-09-17T13:03:47
redhat
unix

(RHSA-2020:3197) Important: Red Hat Process Automation Manager 7.8.0 Security Update

2020-07-29T06:17:46
redhat
unix

(RHSA-2020:3192) Important: Red Hat Fuse 7.7.0 release and security update

2020-07-28T15:50:16
redhat
unix

(RHSA-2020:2320) Important: rh-maven35-jackson-databind security update

2020-05-26T15:00:48
redhat
unix

(RHSA-2021:3959) Moderate: Red Hat build of Eclipse Vert.x 4.1.5 security update

2021-11-10T16:37:03
redhat
unix

(RHSA-2021:4851) Low: Red Hat AMQ Broker 7.9.1 release and security update

2021-11-30T08:40:21
redhat
unix

(RHSA-2020:2067) Important: Red Hat build of Thorntail 2.5.1 security and bug fix update

2020-05-18T10:17:19
redhat
unix

(RHSA-2020:2813) Important: Red Hat Single Sign-On 7.4.1 security update

2020-07-02T13:17:12
redhat
unix

(RHSA-2020:4366) Important: Satellite 6.8 release

2020-10-27T12:45:25
redhat
unix

(RHSA-2022:4711) Moderate: RHV Manager (ovirt-engine) [ovirt-4.5.0] security update

2022-05-26T16:04:07
redhat
unix

(RHSA-2020:3642) Important: Red Hat JBoss Enterprise Application Platform 7.2.9 security update

2020-09-07T12:53:25
redhat
unix

(RHSA-2020:3637) Important: Red Hat JBoss Enterprise Application Platform 7.2.9 on RHEL 6 security update

2020-09-07T12:47:16
redhat
unix

(RHSA-2020:3638) Important: Red Hat JBoss Enterprise Application Platform 7.2.9 on RHEL 7 security update

2020-09-07T12:47:30
redhat
unix

(RHSA-2020:3639) Important: Red Hat JBoss Enterprise Application Platform 7.2.9 on RHEL 8 security update

2020-09-07T12:48:20
redhat
unix

(RHSA-2020:2333) Important: EAP Continuous Delivery Technical Preview Release 19 security update

2020-05-28T15:47:01
freebsd
unix

puppetdb -- Multiple vulnerabilities

2020-07-23T00:00:00
rocky
unix

pki-core:10.6 and pki-deps:10.6 security, bug fix, and enhancement update

2020-04-28T09:00:20
githubexploit
exploit

Exploit for Deserialization of Untrusted Data in Fasterxml Jackson-Databind

2021-01-10T06:47:49
ubuntu
unix

Jackson Databind vulnerabilities

2021-03-15T00:00:00
fedora
unix

[SECURITY] Fedora 28 Update: hadoop-2.7.6-4.fc28

2018-07-15T03:34:22
fedora
unix

[SECURITY] Fedora 35 Update: js-jquery-ui-1.13.0-1.fc35

2021-11-20T01:08:33
fedora
unix

[SECURITY] Fedora 34 Update: js-jquery-ui-1.13.0-1.fc34

2021-11-20T01:11:49
fedora
unix

[SECURITY] Fedora 33 Update: js-jquery-ui-1.13.0-1.fc33

2021-11-20T01:45:55
fedora
unix

[SECURITY] Fedora 29 Update: hadoop-2.7.7-1.fc29

2018-12-09T21:02:57
fedora
unix

[SECURITY] Fedora 28 Update: hadoop-2.7.7-1.fc28

2018-12-09T21:02:07
fedora
unix

[SECURITY] Fedora 37 Update: drupal7-7.92-1.fc37

2022-11-10T22:46:29
fedora
unix

[SECURITY] Fedora 35 Update: drupal7-7.92-1.fc35

2022-11-03T15:31:08
fedora
unix

[SECURITY] Fedora 36 Update: drupal7-7.92-1.fc36

2022-10-23T09:04:53
f5
software

jQuery vulnerabilities CVE-2021-41182, CVE-2021-41183, and CVE-2021-41184

2022-03-28T18:24:00
f5
software

jackson-databind vulnerabilities CVE-2019-16943 and CVE-2019-17531

2020-06-03T22:21:00
drupal
software

Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2021-011

2021-11-17T00:00:00
drupal
software

jQuery UI Datepicker - Moderately critical - Cross Site Scripting - SA-CONTRIB-2022-004

2022-01-19T00:00:00
veracode
software

Privilege Escalation

2018-11-28T09:37:58
redhatcve
info

CVE-2018-11766

2018-11-28T10:49:38
github
software

Arbitrary Command Execution in Hadoop

2018-12-21T17:50:26
cve
NVD

CVE-2018-11766

2018-11-27T14:29:00
cve
NVD

CVE-2021-29768

2022-06-24T16:15:00
cve
NVD

CVE-2021-38945

2022-06-24T16:15:00
checkpoint_advisories
info

jQuery UI Datepicker Widget Cross Site Scripting (CVE-2021-41182; CVE-2021-41183)

2022-03-14T00:00:00
checkpoint_advisories
info

FasterXML jackson-databind Remote Code Execution (CVE-2020-14645; CVE-2020-24616; CVE-2020-8840)

2020-12-27T00:00:00
oraclelinux
unix

pki-core:10.6 and pki-deps:10.6 security, bug fix, and enhancement update

2020-05-05T00:00:00
almalinux
unix

Moderate: pki-core:10.6 and pki-deps:10.6 security, bug fix, and enhancement update

2020-04-28T09:00:20
cnvd
cnvd

IBM Cognos Analytics Information Disclosure Vulnerability (CNVD-2022-54641)

2022-06-28T00:00:00
cnvd
cnvd

IBM Cognos Analytics File Upload Vulnerability

2022-06-28T00:00:00
cloudfoundry
software

Various CVEs: UAA consumes vulnerable versions of FasterXML jackson-databind | Cloud Foundry

2019-11-13T00:00:00