(RHSA-2020:0899) Important: Red Hat Decision Manager 7.7.0 Security Update

2020-03-18T17:30:04

Description

Red Hat Decision Manager is an open source decision management platform that combines business rules management, complex event processing, Decision Model & Notation (DMN) execution, and Business Optimizer for solving planning problems. It automates business decisions and makes that logic available to the entire business. This release of Red Hat Decision Manager 7.7.0 serves as an update to Red Hat Decision Manager 7.6.0, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Security Fix(es): * commons-beanutils: apache-commons-beanutils: does not suppresses the class property in PropertyUtilsBean by default (CVE-2019-10086) * elasticsearch: Improper permission issue when attaching a new name to an index (CVE-2019-7611) * jackson-databind: polymorphic typing issue related to com.zaxxer.hikari.HikariConfig (CVE-2019-14540) * jackson-databind: polymorphic typing issue related to com.zaxxer.hikari.HikariDataSource (CVE-2019-16335) * jackson-databind: polymorphic typing issue when enabling default typing for an externally exposed JSON endpoint and having apache-log4j-extra in the classpath leads to code execution (CVE-2019-17531) * jackson-databind: Serialization gadgets in classes of the commons-configuration package (CVE-2019-14892) * jackson-databind: Serialization gadgets in classes of the commons-dbcp package (CVE-2019-16942) * jackson-databind: Serialization gadgets in classes of the ehcache package (CVE-2019-17267) * jackson-databind: Serialization gadgets in classes of the p6spy package (CVE-2019-16943) * jackson-databind: Serialization gadgets in classes of the xalan package (CVE-2019-14893) * mina-core: Retaining an open socket in close_notify SSL-TLS leading to Information disclosure (CVE-2019-0231) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.

{"id": "RHSA-2020:0899", "vendorId": null, "type": "redhat", "bulletinFamily": "unix", "title": "(RHSA-2020:0899) Important: Red Hat Decision Manager 7.7.0 Security Update", "description": "Red Hat Decision Manager is an open source decision management platform that combines business rules management, complex event processing, Decision Model & Notation (DMN) execution, and Business Optimizer for solving planning problems. It automates business decisions and makes that logic available to the entire business. \n\nThis release of Red Hat Decision Manager 7.7.0 serves as an update to Red Hat Decision Manager 7.6.0, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* commons-beanutils: apache-commons-beanutils: does not suppresses the class property in PropertyUtilsBean by default (CVE-2019-10086)\n\n* elasticsearch: Improper permission issue when attaching a new name to an index (CVE-2019-7611)\n\n* jackson-databind: polymorphic typing issue related to com.zaxxer.hikari.HikariConfig (CVE-2019-14540)\n\n* jackson-databind: polymorphic typing issue related to com.zaxxer.hikari.HikariDataSource (CVE-2019-16335)\n\n* jackson-databind: polymorphic typing issue when enabling default typing for an externally exposed JSON endpoint and having apache-log4j-extra in the classpath leads to code execution (CVE-2019-17531)\n\n* jackson-databind: Serialization gadgets in classes of the commons-configuration package (CVE-2019-14892)\n\n* jackson-databind: Serialization gadgets in classes of the commons-dbcp package (CVE-2019-16942)\n\n* jackson-databind: Serialization gadgets in classes of the ehcache package (CVE-2019-17267)\n\n* jackson-databind: Serialization gadgets in classes of the p6spy package (CVE-2019-16943)\n\n* jackson-databind: Serialization gadgets in classes of the xalan package (CVE-2019-14893)\n\n* mina-core: Retaining an open socket in close_notify SSL-TLS leading to Information disclosure (CVE-2019-0231)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.", "published": "2020-03-18T17:30:04", "modified": "2020-03-18T17:30:28", "epss": [{"cve": "CVE-2019-0231", "epss": 0.00068, "percentile": 0.28121, "modified": "2023-06-03"}, {"cve": "CVE-2019-10086", "epss": 0.00311, "percentile": 0.65692, "modified": "2023-06-03"}, {"cve": "CVE-2019-14540", "epss": 0.00365, "percentile": 0.68377, "modified": "2023-06-03"}, {"cve": "CVE-2019-14892", "epss": 0.00374, "percentile": 0.68751, "modified": "2023-06-03"}, {"cve": "CVE-2019-14893", "epss": 0.01801, "percentile": 0.86355, "modified": "2023-06-03"}, {"cve": "CVE-2019-16335", "epss": 0.00508, "percentile": 0.73179, "modified": "2023-06-03"}, {"cve": "CVE-2019-16942", "epss": 0.00292, "percentile": 0.64594, "modified": "2023-06-03"}, {"cve": "CVE-2019-16943", "epss": 0.00292, "percentile": 0.64594, "modified": "2023-06-03"}, {"cve": "CVE-2019-17267", "epss": 0.00635, "percentile": 0.76103, "modified": "2023-06-03"}, {"cve": "CVE-2019-17531", "epss": 0.00837, "percentile": 0.79696, "modified": "2023-06-03"}, {"cve": "CVE-2019-7611", "epss": 0.00244, "percentile": 0.60997, "modified": "2023-06-03"}], "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "baseScore": 7.5}, "severity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "https://access.redhat.com/errata/RHSA-2020:0899", "reporter": "RedHat", "references": [], "cvelist": ["CVE-2019-0231", "CVE-2019-10086", "CVE-2019-14540", "CVE-2019-14892", "CVE-2019-14893", "CVE-2019-16335", "CVE-2019-16942", "CVE-2019-16943", "CVE-2019-17267", "CVE-2019-17531", "CVE-2019-7611"], "immutableFields": [], "lastseen": "2023-06-03T15:19:47", "viewCount": 62, "enchantments": {"dependencies": {"references": [{"type": "almalinux", "idList": ["ALSA-2020:1644"]}, {"type": "amazon", "idList": ["ALAS2-2020-1395"]}, {"type": "archlinux", "idList": ["ASA-201902-27"]}, {"type": "atlassian", "idList": ["ATLASSIAN:BAM-20722"]}, {"type": "centos", "idList": ["CESA-2020:0194"]}, {"type": "cloudfoundry", "idList": ["CFOUNDRY:DBBC716FD85510861511BDE10DD24963"]}, {"type": "cve", "idList": ["CVE-2019-0231", "CVE-2019-10086", "CVE-2019-14540", "CVE-2019-14892", "CVE-2019-14893", "CVE-2019-16335", "CVE-2019-16942", "CVE-2019-16943", "CVE-2019-17267", "CVE-2019-17531", "CVE-2019-7611"]}, {"type": "debian", "idList": ["DEBIAN:DLA-1896-1:572E2", "DEBIAN:DLA-1896-1:853E6", "DEBIAN:DLA-1943-1:5F5AB", "DEBIAN:DLA-1943-1:9AD98", "DEBIAN:DLA-2030-1:DE561", "DEBIAN:DLA-2030-1:F7B6F", "DEBIAN:DSA-4542-1:03F2D", "DEBIAN:DSA-4542-1:432E5"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2019-10086", "DEBIANCVE:CVE-2019-14540", "DEBIANCVE:CVE-2019-14892", "DEBIANCVE:CVE-2019-14893", "DEBIANCVE:CVE-2019-16335", "DEBIANCVE:CVE-2019-16942", "DEBIANCVE:CVE-2019-16943", "DEBIANCVE:CVE-2019-17267", "DEBIANCVE:CVE-2019-17531"]}, {"type": "f5", "idList": ["F5:K32562850"]}, {"type": "fedora", "idList": ["FEDORA:18A7960877B3", "FEDORA:277F560476FA", "FEDORA:4D359608778C", "FEDORA:772A7605712B", "FEDORA:929076060E6D", "FEDORA:A09EE6087595", "FEDORA:AE8886060E81", "FEDORA:BFF95608779F", "FEDORA:C91E46060E8C", "FEDORA:D948D608771F", "FEDORA:EF5B36120D8F", "FEDORA:F015D61278C8"]}, {"type": "github", "idList": ["GHSA-5H29-QQ92-WJ7F", "GHSA-6PHF-73Q6-GH87", "GHSA-85CW-HJ65-QQV9", "GHSA-CF6R-3WGC-H863", "GHSA-F3J5-RMMP-3FC5", "GHSA-FJ32-6V7M-57PG", "GHSA-FMMC-742Q-JG75", "GHSA-GJMW-VF9H-G25V", "GHSA-H822-R4R5-V8JG", "GHSA-MX7P-6679-8G3Q", "GHSA-QMQC-X3R4-6V39"]}, {"type": "githubexploit", "idList": ["E97398D8-35E8-5902-B099-77F8F7935593"]}, {"type": "ibm", "idList": ["005BEBF506CCF33E4F5413948FD5D525CD71253A26E30C58CD0892DC694DCDEB", "03691F1EE0B131D78EA0BD89002CC0B602DB37A603D015DF70107A778260C592", "037DC92C3964B9BE83FE00549FB0CE6C44ACB2D76406400ED57CA4D310EF3538", "03BD9C6A634D56977256D0EB02550574DC21A677D8E08EEB57FD8C5F206D469F", "03FE2232223502F02C580E374AD84A4FA45BE8EED10FB86E986C5EE051FC791B", "07988475CE9095B9471700FFB4FFB199A58AB32837E3178BE094D53E97B8461A", "0BC017C730A770E349E300089D6DB71D200CA299BDBFA58821787583FA3F9DB1", "10FBEBB14A30BC73B75E0DF3E1AC14E07BC218A2AAE122217F23444AA2EEB55D", "11AC7F14B60A5C486180C6662F02676A29D51924B42EC510A55CFB87D09F8654", "126E1024546918D07264839DD88F2FF75D58789A0F611D0689966886112B533B", "16BD53FF8D4AF4008A6B9480C8D62C5AECEF46E4F486EC150D2D9BBC2C7349FC", "17179127276D2C8BCC739D66B23A070D5DCF232A120A9E4EF31DA0C49E8077B9", "1A7668E81452E83AB00678328095567DA17543F8BDE6DB1EE678E96C5B064FD6", "1B99BE15EF0865EC7D6CAAD98E1510DF110D3FC32411F14658640A57804FCBB5", "1C1678518312F18585D48228E2C4D89CBF458CAF1277708839EA38E32D0F11E3", "1EB9F8573A9E928E14652E6C4EA6633663E35B33C744263304C0A5C14EC87569", "204ADCCC258487D6D5F8C848C95DAB38413055F4AFD05DFCF56FD7435CBF7C69", "217BB6C17A6FD504F278CE0259F71540873D9ACBEC02EC2F580CED3F0A79FB4A", "257282661EC40294AA6CD7D16D142C7D834B7703E989C3E4C143A5B9AF27C918", "284009013594AC874FBB6555FD1C3E3775FEBDC4274891F220C759B5966E4021", "2B4BFF0D4D521D5012752D32EC9AED8D7B42C9CCDA58A0989CACAC0FE91E3799", "2F2115F5724B651AC6B9F0B28265F93BC7C9AB2AC6ADC0181AFF86004B79A417", "2FD3E49CE60F2B203500062AB6489DE468C043F3E44529783A2D6A816327E9F5", "2FE97BC0DB8A3B1BCF85FF8F69828770D4396C7CC3ABD37202D8089D2CADF87B", "31D7DCC8D683A82E44671DA5A38CDC1A58877727926C937FE8D9FD9EE9FD2370", "35774A12657731256610BEB1ACB2AE99C105060354AA560F82DED28AE65A8B24", "376BF79A42FDC2B79EA0ACE3299D7D2BC084C5F6732575256A96FE46F43D836F", "38FAB199DF9F4E39A65615F1E108853EF74C41252303325B3AE91FF543CD105A", "39C354245E58DEA5508935346917841B7B505E810D13B316B0E6615AD25C04D2", "3E90D8B117724A689CF205EB148C972A5AC679705260655DC0A260183EE9C99E", "40F7CBCFB58A3B19B3D79CA6DAD7B6DC2BDC641FF8B170D51B354FDEBE613E4B", "418A4C8D1E8F2E8A923DFE2C36570B4A5EF7B515E050C0F19513AF3DAE7D2628", "41BB6A57FAD3A6133AC798B9A434DFE0BA0E9AC64CD3258AAECCEAD5451AF287", "41CB9666A88AE67D4A0558674B8CFDA62F160B6DDCBA3C10576515447887CF12", "441A6459C1CBE843EDD7F5C4D862AA7C6F90584EA901F82EF1B6D31B418078EB", "4C149E6F2A02DE48EF008D908A63161BF93C07DD6B16401AC765C3B64D274497", "4D266A154A3DA31DCA059F3C44F85045C1027D42EEAD68DA8098C2A3E0994AF2", "4F441F1EC2D2D7EA1D9033E689E8C62FE264F17CF627C618EF574955EF8C49D0", "4F83742D4D9E3F03A6481F27A21969D4333962D309ACFDC2D174BF09D63F0F8A", "4F9B97366DEEBEF2DEE9D041B3982BB1DF67BB173569B8AD40A84B319E78729B", "5041F3D5141A619380512BA58DDE4E2250632BFCFF26D7B947F0A03A7FFC021B", "567625FF8DF333D5C563E40EDFFF9516FF13EA40EAFE9A2E68635850284A1A44", "57D600CD2AA47C0B8ED95337C0FAC5BB49FA1D0A06E1B389ADB391978858A509", "5A2425933E89E2C50FE1F3B1903983FFF1089EEE55483682712FA0DB9D6A700B", "5B63337BED8D1831437D9E9CDA230341D96CD4E72BF44B64671DD96E2E83D164", "61FF6F10F0D76277F85A8A525D2C9989283AB04F3D830BEC0894CE78DF0624A3", "63C0560C61FE9A9777F6402C4988E794A31F66C8118AFA944D2596065F5D0454", "65575758CE6E879BDCFD17ADB708B2448CDF9C00E078AEFB1967358BF519C078", "661EF6C7BBF8AD251228707DD8EDA4B08D9235BFBAA6C9BCAC49A5F4CECDE3DD", "69C147CB642B39AA3250947FC1868ED542CC9C2C3BED4BA821CAD9BA0F178E84", "6BA96613CB9284A12C5C7BA5B1AF346C52C407C3784639F8A63CA5F6E90563C2", "705D1AA8DC1EFC5A25852EAE8F70114AEDB618E07145B676E2B502DEDBEBA92D", "7463232BD9391B70113F6779133DEEDF82C2F9FB5E2F9C9C4D0363B332E72184", "74A64D86F481DEE0890B283DD0C93883DCD1F9CD9011875F5CCF194BC49A6A89", "757696CF6B25D861147516A0233F27AA8ED63CE44EC3D079E6265FF809DBCB35", "766578EB2C7BE8A81F504B4989C22C31CF802D03B94649D36D4712AB13F788F0", "790AEE8158E5072311EE0B1D8C1CACC2CAE27CA8C7B75F39AD990B40790CFB8C", "7AABFFD7EDE8A56FF3E63014903A8533BF0F07389F0D81F452A4D9AFF5CEB90B", "7BE38BC9D9063F34BE9B8AEC73F5518E1D7B0EC8F35109DB2E64EBA48061A6DB", "7C687A5C4DA5F147CCB651C24229AA31D311EBB13BB2DF3508D7A6085EF3DD7D", "7E0744D5936EDC5F018B0850D801B665D388060D6A81B986BC7AD81C9A78C0EE", "7E120392C6B27EF023444674C7B2E2BB0AF1032844B5941C3D340385D2344B0E", "7F1C012CC641EF0CCDD9BC749B665F263D22200F5DA78D27932DB5F6F0D9433E", "8450E3844A56758A6756AAD90428DBE81790CEE3008B7F3BE6DC26A4C36196CB", "8677F08636676A812666D9173BE281822A35EA2589B586A211824F7B588BD018", "86BC382413D13FEC49BBCF5FC0129F8B83C058E0C0CDD0CFC599911E284C4FA7", "872A188EC4E2613A4C8DAA4C113C491ED5226F5BC56BB46BEC54BB14EB8DB940", "891E5F0424A107621BE648D5F1576C607F7834B3BC114E0F945E5010BA70A9F3", "8EFB8A654D3536DD4481500A7680D75E0B2A04D2F63C829CAE130B12A35D7ED3", "90246D34A2A9EC4005A1B788C09D0DF4366E66BC9D5DC5A39EEF5286DE79E161", "90CF485116A952ADEC5B5A85E722DF33D1556D18AE9C7D1F5699712F4EB9F66A", "92627E627D103D4038024BCFD810986107E14AF89DB4426C430D1DE63EBADE27", "9568E59FBC9F48E0CA633A74AB406265AC01F813ACFBBF2AC3F70CCAF62213C1", "9789CEECC4EAE227807072B0D67DFDE94D1DD1B27DF1CA3800BB5E560EEA2FD9", "9AB1E803E873C7A84CE99F66DE88AF1E8B46E7101BF649CF589989C1581AAA3B", "9BBB794BF1DCF8660F8460268754D1A7E827EF26EEF07D631316C9EF5FC3CBDD", "9D474CFA28D8B0313A49C799D05622C172F9872EA0EAE8F12773DAC4E1DEF768", "9E2B2130333F7B296A139DA27C7C1DFF42D07DAB80C79514BA01F6BD2399CA84", "A07C9B7C7D5952E2BBD4C0874BEC859D77892E662D993098C91BDFD5CD4FF6ED", "A0C17B7FA23DBF1DC4FACFA7A00FFB9DEE0554664F67073C8C966AAD62F6C865", "A0EF1B53F76A87117F5A8C9A4208296020E4E538E12E58B3F85BF4F0ADDB481A", "A1EF9298714E6ED876FC447E879AE4AEF24B3BAE418A5BF1CCD587D6F1B0DF70", "AC5DE01326AFA37CBA7F799502684F57AF3D9271EC49734648DB7797522AF2E8", "ACDFCA5E93908C1CC35E54B4EF854ED57BCD6CD2641A3590CD2418E8BCA917EA", "ADF0635C8C226573B68B90CCCD3BBEE5D58D01FA40BFFCEB1F024C6F94610012", "B2EA2FBA4D280351FEA7F9EC1921C448D44F4D9EC613590A87A15467F7D34153", "B5B6C4769983441433B811EF3AAED6CFC993849D42BC924ECF1CCA5E34838148", "B7B1A8DAB1A897FBFE8F37F46B5A9BAA67F914F715D69E265E2F4E7D8FBB16AF", "BA52B3AF65440148334C9734035B65F3CECB36A8D91122A0BF7EEA75DD6FF353", "BE28B80282A36EB5AE12EA4346DFDEB6572CBBFD3F23A4A31E09F4406B8F71BD", "C034F4A93C7986F86B5276634B82B774DA1796B9A2CC2371DA4859670D82233E", "C06037486063080DAF0903578E651F281F08105507F07A61B0292AD4FC96B7DB", "C22253825FA485019FC06565D7E7D6C4103E0C10B6510212859354833FAEB242", "C43D2CB156B7BD39FC113EAD22568306F95463D3E29CC3A697EB085F142533BB", "CA9DCF531A11B03DA139506DC9F6319E49C554DF0F64E8DEC99E49C30FB2656F", "CB6124223B6F8216BA9E92EAD6DAFC187E51AC4BEC28594EAEF38B28FCD5792F", "CCFD0AA6FE0B04D655CB682E840C88D56CFE6066B6B9B349560AFB2C6DFBCB00", "CEFB2CDD169330DA5EC688A529952C2E9694D94C3E8E4A50C9011E9A9F7FD71F", "CFD032C6816AA09BC4BFE927259D2C7496159BC447A779769DEB0DECC4952A56", "D10B18EC28A032EFEE6049343ECB3633CC65AE8BDF915EC68181989AB9170F54", "D21E913C6ADECF8EF09DE3D9AEE7C0E5E9B0753FDE5C8D754FBFEF41B5821AD7", "D5FC186AFDC475BF1011609D51599D9F4054E10263C52218648C49E2D757DF13", "D6A278AD53F24F8C2A141B0CE86714271C028E265EA5E488D59254EE85EA8F0B", "D76879E8E9C0967E4A6B7FF8216C0847B633BB1DAC32CEE31E4544A60A45BA68", "D9172969D61CF2C2B1320CAD15CAF5A2806FCA9580D5A6E5A2E2C98FF12E2386", "DBC93191D0CAD269E349815A49C42AC2828C17CA40F468830256608583D50FBE", "DC05F94C20E54530B22A0F7C5D47B16BEB79F796391043B6D8D2F3934DA6C247", "DD34B9BC3B107A1DC572E91FE164C11C4D3B050CFD5A53884C66DA680566DEB4", "DED899C681C4F01F658F5349E77058BDF8C51E88FADBC17AC63AAD856B4CADE5", "E298AFAE6C10545EEFE2EDCB1E58ACEB81769C82FC173BB89206A046496B5501", "E51DDF73E3F5CD96B12560329D18889F698C09D96494E43FCCF428FEC32A1F2E", "E5BBCEF719E615994F1B258C759E10E101CC12EE74BBCBA1AFE726D5AFF29509", "E652AD074D4537242E4F6F6865F5497FE3BCB4D68389AAE0D3EB706D9D1DD1ED", "E8E3D041384B3A1C50DFC8E8DD6B7415911290515C88A2C292DAF367F018B0E7", "EA52924E34BCC16950981552A3FA767720FFB0ABD2C4348121C16E9BA6BD4C80", "F9ED99C3F4B2D868A3826BA34135EFCC7EF1978329C535488F23E6CF98DA913D", "FDEE9E01E031FC60EEE159972E198CED45F49D69002CB877DA62B3D2C1C0494A", "FE682ECFC10CBB3EA19CC98A95397F776F34168220DD72550FAE4CF5E216A9CC", "FE6A60EA653FEE6F655EBB8429BCB70E7D54726EC0055ECB440856BF66B419CA"]}, {"type": "mageia", "idList": ["MGASA-2019-0399", "MGASA-2021-0153"]}, {"type": "nessus", "idList": ["AL2_ALAS-2020-1395.NASL", "CENTOS8_RHSA-2020-1644.NASL", "CENTOS_RHSA-2020-0194.NASL", "DEBIAN_DLA-1896.NASL", "DEBIAN_DLA-1943.NASL", "DEBIAN_DLA-2030.NASL", "DEBIAN_DSA-4542.NASL", "ELASTICSEARCH_ESA_2019_04.NASL", "FEDORA_2019-79B5790566.NASL", "FEDORA_2019-B171554877.NASL", "FEDORA_2019-BCAD44B5D6.NASL", "MYSQL_ENTERPRISE_MONITOR_8_0_23.NASL", "NEWSTART_CGSL_NS-SA-2020-0011_APACHE-COMMONS-BEANUTILS.NASL", "NEWSTART_CGSL_NS-SA-2020-0100_APACHE-COMMONS-BEANUTILS.NASL", "OPENSUSE-2019-2058.NASL", "ORACLELINUX_ELSA-2020-0194.NASL", "ORACLE_E-BUSINESS_CPU_APR_2021.NASL", "ORACLE_E-BUSINESS_CPU_JAN_2022.NASL", "ORACLE_E-BUSINESS_CPU_OCT_2022.NASL", "ORACLE_ENTERPRISE_MANAGER_CPU_APR_2021.NASL", "ORACLE_OATS_CPU_JUL_2021.NASL", "ORACLE_OBIEE_CPU_APR_2023_OAS.NASL", "ORACLE_PRIMAVERA_GATEWAY_CPU_APR_2020.NASL", "ORACLE_PRIMAVERA_GATEWAY_CPU_JAN_2020.NASL", "ORACLE_PRIMAVERA_UNIFIER_CPU_APR_2020.NASL", "ORACLE_PRIMAVERA_UNIFIER_CPU_JAN_2020.NASL", "ORACLE_PRIMAVERA_UNIFIER_CPU_JAN_2021.NASL", "ORACLE_RDBMS_CPU_JUL_2020.NASL", "ORACLE_WEBCENTER_PORTAL_CPU_APR_2020.NBIN", "ORACLE_WEBCENTER_PORTAL_CPU_JAN_2021.NASL", "ORACLE_WEBCENTER_PORTAL_CPU_JUL_2020.NBIN", "ORACLE_WEBCENTER_SITES_APR_2020_CPU.NASL", "ORACLE_WEBLOGIC_SERVER_CPU_APR_2020.NASL", "ORACLE_WEBLOGIC_SERVER_CPU_APR_2021.NASL", "ORACLE_WEBLOGIC_SERVER_CPU_JAN_2021.NASL", "ORACLE_WEBLOGIC_SERVER_CPU_OCT_2020.NASL", "PHOTONOS_PHSA-2019-2_0-0155_ELASTICSEARCH.NASL", "REDHAT-RHSA-2020-0057.NASL", "REDHAT-RHSA-2020-0159.NASL", "REDHAT-RHSA-2020-0160.NASL", "REDHAT-RHSA-2020-0161.NASL", "REDHAT-RHSA-2020-0194.NASL", "REDHAT-RHSA-2020-0804.NASL", "REDHAT-RHSA-2020-0805.NASL", "REDHAT-RHSA-2020-0806.NASL", "REDHAT-RHSA-2020-1308.NASL", "REDHAT-RHSA-2020-1454.NASL", "REDHAT-RHSA-2020-1644.NASL", "REDHAT-RHSA-2020-2740.NASL", "SL_20200121_APACHE_COMMONS_BEANUTILS_ON_SL7_X.NASL", "WEBSPHERE_1115085.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310704542", "OPENVAS:1361412562310852686", "OPENVAS:1361412562310876898", "OPENVAS:1361412562310876900", "OPENVAS:1361412562310876901", "OPENVAS:1361412562310876904", "OPENVAS:1361412562310876908", "OPENVAS:1361412562310876994", "OPENVAS:1361412562310877119", "OPENVAS:1361412562310877152", "OPENVAS:1361412562310877212", "OPENVAS:1361412562310877267", "OPENVAS:1361412562310877291", "OPENVAS:1361412562310877322", "OPENVAS:1361412562310883171", "OPENVAS:1361412562310891896", "OPENVAS:1361412562310891943", "OPENVAS:1361412562310892030"]}, {"type": "oracle", "idList": ["ORACLE:CPUAPR2020", "ORACLE:CPUAPR2021", "ORACLE:CPUAPR2022", "ORACLE:CPUAPR2023", "ORACLE:CPUJAN2020", "ORACLE:CPUJAN2021", "ORACLE:CPUJAN2022", "ORACLE:CPUJUL2020", "ORACLE:CPUJUL2021", "ORACLE:CPUJUL2022", "ORACLE:CPUOCT2019", "ORACLE:CPUOCT2020", "ORACLE:CPUOCT2021", "ORACLE:CPUOCT2022"]}, {"type": "oraclelinux", "idList": ["ELSA-2020-0194", "ELSA-2020-1644"]}, {"type": "osv", "idList": ["OSV:DLA-1896-1", "OSV:DLA-1943-1", "OSV:DLA-2030-1", "OSV:DSA-4542-1", "OSV:GHSA-5H29-QQ92-WJ7F", "OSV:GHSA-6PHF-73Q6-GH87", "OSV:GHSA-85CW-HJ65-QQV9", "OSV:GHSA-CF6R-3WGC-H863", "OSV:GHSA-F3J5-RMMP-3FC5", "OSV:GHSA-FJ32-6V7M-57PG", "OSV:GHSA-FMMC-742Q-JG75", "OSV:GHSA-GJMW-VF9H-G25V", "OSV:GHSA-H822-R4R5-V8JG", "OSV:GHSA-MX7P-6679-8G3Q", "OSV:GHSA-QMQC-X3R4-6V39"]}, {"type": "photon", "idList": ["PHSA-2019-0014", "PHSA-2019-0155", "PHSA-2019-0225", "PHSA-2019-1.0-0225", "PHSA-2019-2.0-0155", "PHSA-2019-3.0-0014"]}, {"type": "redhat", "idList": ["RHSA-2019:3200", "RHSA-2019:3901", "RHSA-2019:4192", "RHSA-2019:4317", "RHSA-2020:0057", "RHSA-2020:0159", "RHSA-2020:0160", "RHSA-2020:0161", "RHSA-2020:0164", "RHSA-2020:0194", "RHSA-2020:0445", "RHSA-2020:0729", "RHSA-2020:0804", "RHSA-2020:0805", "RHSA-2020:0806", "RHSA-2020:0811", "RHSA-2020:0895", "RHSA-2020:0939", "RHSA-2020:0951", "RHSA-2020:1308", "RHSA-2020:1454", "RHSA-2020:1644", "RHSA-2020:2067", "RHSA-2020:2321", "RHSA-2020:2333", "RHSA-2020:2619", "RHSA-2020:2740", "RHSA-2020:3192", "RHSA-2020:3197", "RHSA-2020:3247", "RHSA-2020:3587"]}, {"type": "redhatcve", "idList": ["RH:CVE-2019-0231", "RH:CVE-2019-10086", "RH:CVE-2019-14540", "RH:CVE-2019-14892", "RH:CVE-2019-14893", "RH:CVE-2019-16335", "RH:CVE-2019-16942", "RH:CVE-2019-16943", "RH:CVE-2019-17267", "RH:CVE-2019-17531", "RH:CVE-2019-7611"]}, {"type": "rocky", "idList": ["RLSA-2020:1644"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2019:2058-1"]}, {"type": "symantec", "idList": ["SMNTC-109915", "SMNTC-110333", "SMNTC-111283", "SMNTC-111525", "SMNTC-111564"]}, {"type": "ubuntu", "idList": ["USN-4766-1", "USN-4813-1"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2019-10086", "UB:CVE-2019-14540", "UB:CVE-2019-14892", "UB:CVE-2019-14893", "UB:CVE-2019-16335", "UB:CVE-2019-16942", "UB:CVE-2019-16943", "UB:CVE-2019-17267", "UB:CVE-2019-17531", "UB:CVE-2019-7611"]}, {"type": "veracode", "idList": ["VERACODE:13636", "VERACODE:20737", "VERACODE:21314", "VERACODE:21522", "VERACODE:21523", "VERACODE:21602", "VERACODE:21603", "VERACODE:21650", "VERACODE:21692", "VERACODE:22002", "VERACODE:22003"]}]}, "score": {"value": 1.2, "vector": "NONE"}, "backreferences": {"references": [{"type": "almalinux", "idList": ["ALSA-2020:1644"]}, {"type": "amazon", "idList": ["ALAS2-2020-1395"]}, {"type": "archlinux", "idList": ["ASA-201902-27"]}, {"type": "atlassian", "idList": ["ATLASSIAN:BAM-20722"]}, {"type": "centos", "idList": ["CESA-2020:0194"]}, {"type": "cloudfoundry", "idList": ["CFOUNDRY:DBBC716FD85510861511BDE10DD24963"]}, {"type": "cve", "idList": ["CVE-2019-10086", "CVE-2019-7611"]}, {"type": "debian", "idList": ["DEBIAN:DLA-1896-1:572E2", "DEBIAN:DLA-2030-1:F7B6F"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2019-10086"]}, {"type": "f5", "idList": ["F5:K32562850"]}, {"type": "fedora", "idList": ["FEDORA:18A7960877B3", "FEDORA:277F560476FA", "FEDORA:4D359608778C", "FEDORA:772A7605712B", "FEDORA:929076060E6D", "FEDORA:A09EE6087595", "FEDORA:AE8886060E81", "FEDORA:BFF95608779F", "FEDORA:C91E46060E8C", "FEDORA:D948D608771F", "FEDORA:EF5B36120D8F", "FEDORA:F015D61278C8"]}, {"type": "github", "idList": ["GHSA-85CW-HJ65-QQV9", "GHSA-FMMC-742Q-JG75", "GHSA-GJMW-VF9H-G25V", "GHSA-H822-R4R5-V8JG", "GHSA-MX7P-6679-8G3Q"]}, {"type": "githubexploit", "idList": ["E97398D8-35E8-5902-B099-77F8F7935593"]}, {"type": "ibm", "idList": ["17179127276D2C8BCC739D66B23A070D5DCF232A120A9E4EF31DA0C49E8077B9", "1A7668E81452E83AB00678328095567DA17543F8BDE6DB1EE678E96C5B064FD6", "C034F4A93C7986F86B5276634B82B774DA1796B9A2CC2371DA4859670D82233E", "DD34B9BC3B107A1DC572E91FE164C11C4D3B050CFD5A53884C66DA680566DEB4", "E51DDF73E3F5CD96B12560329D18889F698C09D96494E43FCCF428FEC32A1F2E", "FE682ECFC10CBB3EA19CC98A95397F776F34168220DD72550FAE4CF5E216A9CC"]}, {"type": "metasploit", "idList": ["MSF:ILITIES/CENTOS_LINUX-CVE-2019-17531/"]}, {"type": "nessus", "idList": ["CENTOS_RHSA-2020-0194.NASL", "DEBIAN_DLA-2030.NASL", "FEDORA_2019-79B5790566.NASL", "FEDORA_2019-BCAD44B5D6.NASL", "ORACLE_E-BUSINESS_CPU_APR_2021.NASL", "ORACLE_WEBLOGIC_SERVER_CPU_APR_2021.NASL", "REDHAT_UPDATE_LEVEL.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310852686", "OPENVAS:1361412562310876994", "OPENVAS:1361412562310883171", "OPENVAS:1361412562310891896", "OPENVAS:1361412562310892030"]}, {"type": "oracle", "idList": ["ORACLE:CPUOCT2019-5072832"]}, {"type": "oraclelinux", "idList": ["ELSA-2020-1644"]}, {"type": "photon", "idList": ["PHSA-2019-1.0-0225", "PHSA-2019-2.0-0155", "PHSA-2019-3.0-0014"]}, {"type": "redhat", "idList": ["RHSA-2019:4192", "RHSA-2020:0811"]}, {"type": "redhatcve", "idList": ["RH:CVE-2019-0231", "RH:CVE-2019-14892", "RH:CVE-2019-14893", "RH:CVE-2019-17531", "RH:CVE-2019-7611"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2019:2058-1"]}, {"type": "symantec", "idList": ["SMNTC-111525"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2019-10086", "UB:CVE-2019-14540", "UB:CVE-2019-14892", "UB:CVE-2019-14893", "UB:CVE-2019-16335", "UB:CVE-2019-16942", "UB:CVE-2019-16943", "UB:CVE-2019-17267", "UB:CVE-2019-17531"]}]}, "exploitation": null, "epss": [{"cve": "CVE-2019-0231", "epss": 0.00068, "percentile": 0.28015, "modified": "2023-05-06"}, {"cve": "CVE-2019-10086", "epss": 0.00311, "percentile": 0.65589, "modified": "2023-05-06"}, {"cve": "CVE-2019-14540", "epss": 0.00537, "percentile": 0.73823, "modified": "2023-05-06"}, {"cve": "CVE-2019-14892", "epss": 0.00332, "percentile": 0.6675, "modified": "2023-05-06"}, {"cve": "CVE-2019-14893", "epss": 0.01801, "percentile": 0.86309, "modified": "2023-05-06"}, {"cve": "CVE-2019-16335", "epss": 0.00508, "percentile": 0.7308, "modified": "2023-05-06"}, {"cve": "CVE-2019-16942", "epss": 0.00292, "percentile": 0.64465, "modified": "2023-05-06"}, {"cve": "CVE-2019-16943", "epss": 0.00292, "percentile": 0.64465, "modified": "2023-05-06"}, {"cve": "CVE-2019-17267", "epss": 0.00635, "percentile": 0.7603, "modified": "2023-05-06"}, {"cve": "CVE-2019-17531", "epss": 0.00837, "percentile": 0.79661, "modified": "2023-05-06"}, {"cve": "CVE-2019-7611", "epss": 0.00244, "percentile": 0.60899, "modified": "2023-05-06"}], "vulnersScore": 1.2}, "_state": {"dependencies": 1685813433, "score": 1685806281, "epss": 0}, "_internal": {"score_hash": "fa31d8768a36fa340951719b535caef5"}, "affectedPackage": [], "vendorCvss": {"severity": "important"}}

{"redhat": [{"lastseen": "2023-06-03T15:19:47", "description": "Red Hat Process Automation Manager is an open source business process management suite that combines process management and decision service management and enables business and IT users to create, manage, validate, and deploy process applications and decision services.\n\nThis release of Red Hat Process Automation Manager 7.7.0 serves as an update to Red Hat Process Automation Manager 7.6.0, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* elasticsearch: Improper permission issue when attaching a new name to an index (CVE-2019-7611)\n\n* jackson-databind: polymorphic typing issue related to com.zaxxer.hikari.HikariConfig (CVE-2019-14540)\n\n* jackson-databind: polymorphic typing issue related to com.zaxxer.hikari.HikariDataSource (CVE-2019-16335)\n\n* jackson-databind: polymorphic typing issue when enabling default typing for an externally exposed JSON endpoint and having apache-log4j-extra in the classpath leads to code execution (CVE-2019-17531)\n\n* jackson-databind: Serialization gadgets in classes of the commons-configuration package (CVE-2019-14892)\n\n* jackson-databind: Serialization gadgets in classes of the commons-dbcp package (CVE-2019-16942)\n\n* jackson-databind: Serialization gadgets in classes of the ehcache package (CVE-2019-17267)\n\n* jackson-databind: Serialization gadgets in classes of the p6spy package (CVE-2019-16943)\n\n* jackson-databind: Serialization gadgets in classes of the xalan package (CVE-2019-14893)\n\n* mina-core: Retaining an open socket in close_notify SSL-TLS leading to Information disclosure (CVE-2019-0231)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-03-18T14:45:02", "type": "redhat", "title": "(RHSA-2020:0895) Moderate: Red Hat Process Automation Manager 7.7.0 Security Update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0231", "CVE-2019-14540", "CVE-2019-14892", "CVE-2019-14893", "CVE-2019-16335", "CVE-2019-16942", "CVE-2019-16943", "CVE-2019-17267", "CVE-2019-17531", "CVE-2019-7611"], "modified": "2020-03-18T14:45:28", "id": "RHSA-2020:0895", "href": "https://access.redhat.com/errata/RHSA-2020:0895", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-03T15:19:47", "description": "Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime.\n\nThis release of Red Hat JBoss Enterprise Application Platform 7.2.6 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.2.5, and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.2.6 Release Notes for information about the most significant bug fixes and enhancements included in this release.\n\nSecurity Fix(es):\n\n* undertow: possible Denial Of Service (DOS) in Undertow HTTP server listening\non HTTPS (CVE-2019-14888)\n\n* jboss-cli: JBoss EAP: Vault system property security attribute value is\nrevealed on CLI 'reload' command (CVE-2019-14885)\n\n* netty: HTTP request smuggling by mishandled whitespace before the colon in\nHTTP headers (CVE-2019-16869)\n\n* jackson-databind: polymorphic typing issue related to\ncom.zaxxer.hikari.HikariConfig (CVE-2019-14540)\n\n* jackson-databind: Serialization gadgets in classes of the commons-dbcp package\n(CVE-2019-16942)\n\n* jackson-databind: Serialization gadgets in classes of the\ncommons-configuration package (CVE-2019-14892)\n\n* jackson-databind: polymorphic typing issue related to\ncom.zaxxer.hikari.HikariDataSource (CVE-2019-16335)\n\n* jackson-databind: Serialization gadgets in classes of the p6spy package\n(CVE-2019-16943)\n\n* jackson-databind: polymorphic typing issue when enabling default typing for an\nexternally exposed JSON endpoint and having apache-log4j-extra in the classpath\nleads to code execution (CVE-2019-17531)\n\n* jackson-databind: Serialization gadgets in classes of the xalan package\n(CVE-2019-14893)\n\n* hibernate-validator: safeHTML validator allows XSS (CVE-2019-10219)\n\n* jackson-databind: Serialization gadgets in classes of the ehcache package\n(CVE-2019-17267)", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-01-20T15:57:06", "type": "redhat", "title": "(RHSA-2020:0164) Important: Red Hat JBoss Enterprise Application Platform 7.2.6 security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10219", "CVE-2019-14540", "CVE-2019-14885", "CVE-2019-14888", "CVE-2019-14892", "CVE-2019-14893", "CVE-2019-16335", "CVE-2019-16869", "CVE-2019-16942", "CVE-2019-16943", "CVE-2019-17267", "CVE-2019-17531"], "modified": "2020-01-21T02:21:15", "id": "RHSA-2020:0164", "href": "https://access.redhat.com/errata/RHSA-2020:0164", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-03T15:19:47", "description": "Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime.\n\nThis release of Red Hat JBoss Enterprise Application Platform 7.2.6 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.2.5, and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.2.6 Release Notes for information about the most significant bug fixes and enhancements included in this release.\n\nSecurity Fix(es):\n\n* undertow: possible Denial Of Service (DOS) in Undertow HTTP server listening\non HTTPS (CVE-2019-14888)\n\n* jboss-cli: JBoss EAP: Vault system property security attribute value is\nrevealed on CLI 'reload' command (CVE-2019-14885)\n\n* netty: HTTP request smuggling by mishandled whitespace before the colon in\nHTTP headers (CVE-2019-16869)\n\n* jackson-databind: polymorphic typing issue related to\ncom.zaxxer.hikari.HikariConfig (CVE-2019-14540)\n\n* jackson-databind: Serialization gadgets in classes of the commons-dbcp package\n(CVE-2019-16942)\n\n* jackson-databind: Serialization gadgets in classes of the\ncommons-configuration package (CVE-2019-14892)\n\n* jackson-databind: polymorphic typing issue related to\ncom.zaxxer.hikari.HikariDataSource (CVE-2019-16335)\n\n* jackson-databind: Serialization gadgets in classes of the p6spy package\n(CVE-2019-16943)\n\n* jackson-databind: polymorphic typing issue when enabling default typing for an\nexternally exposed JSON endpoint and having apache-log4j-extra in the classpath\nleads to code execution (CVE-2019-17531)\n\n* jackson-databind: Serialization gadgets in classes of the xalan package\n(CVE-2019-14893)\n\n* hibernate-validator: safeHTML validator allows XSS (CVE-2019-10219)\n\n* jackson-databind: Serialization gadgets in classes of the ehcache package\n(CVE-2019-17267)", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-01-20T15:36:02", "type": "redhat", "title": "(RHSA-2020:0161) Important: Red Hat JBoss Enterprise Application Platform 7.2.6 on RHEL 8 security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10219", "CVE-2019-14540", "CVE-2019-14885", "CVE-2019-14888", "CVE-2019-14892", "CVE-2019-14893", "CVE-2019-16335", "CVE-2019-16869", "CVE-2019-16942", "CVE-2019-16943", "CVE-2019-17267", "CVE-2019-17531"], "modified": "2020-01-21T02:37:28", "id": "RHSA-2020:0161", "href": "https://access.redhat.com/errata/RHSA-2020:0161", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-03T15:19:47", "description": "Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime.\n\nThis release of Red Hat JBoss Enterprise Application Platform 7.2.6 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.2.5, and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.2.6 Release Notes for information about the most significant bug fixes and enhancements included in this release.\n\nSecurity Fix(es):\n\n* undertow: possible Denial Of Service (DOS) in Undertow HTTP server listening on HTTPS (CVE-2019-14888)\n\n* jboss-cli: JBoss EAP: Vault system property security attribute value is revealed on CLI 'reload' command (CVE-2019-14885)\n\n* netty: HTTP request smuggling by mishandled whitespace before the colon in HTTP headers (CVE-2019-16869)\n\n* jackson-databind: polymorphic typing issue related to com.zaxxer.hikari.HikariConfig (CVE-2019-14540)\n\n* jackson-databind: Serialization gadgets in classes of the commons-dbcp package (CVE-2019-16942)\n\n* jackson-databind: Serialization gadgets in classes of the commons-configuration package (CVE-2019-14892)\n\n* jackson-databind: polymorphic typing issue related to com.zaxxer.hikari.HikariDataSource (CVE-2019-16335)\n\n* jackson-databind: Serialization gadgets in classes of the p6spy package (CVE-2019-16943)\n\n* jackson-databind: polymorphic typing issue when enabling default typing for an externally exposed JSON endpoint and having apache-log4j-extra in the classpath leads to code execution (CVE-2019-17531)\n\n* jackson-databind: Serialization gadgets in classes of the xalan package (CVE-2019-14893)\n\n* hibernate-validator: safeHTML validator allows XSS (CVE-2019-10219)\n\n* jackson-databind: Serialization gadgets in classes of the ehcache package (CVE-2019-17267)", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-01-20T15:35:57", "type": "redhat", "title": "(RHSA-2020:0159) Important: Red Hat JBoss Enterprise Application Platform 7.2.6 on RHEL 6 security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10219", "CVE-2019-14540", "CVE-2019-14885", "CVE-2019-14888", "CVE-2019-14892", "CVE-2019-14893", "CVE-2019-16335", "CVE-2019-16869", "CVE-2019-16942", "CVE-2019-16943", "CVE-2019-17267", "CVE-2019-17531"], "modified": "2020-01-21T02:39:23", "id": "RHSA-2020:0159", "href": "https://access.redhat.com/errata/RHSA-2020:0159", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-03T15:19:47", "description": "Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime.\n\nThis release of Red Hat JBoss Enterprise Application Platform 7.2.6 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.2.5, and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.2.6 Release Notes for information about the most significant bug fixes and enhancements included in this release.\n\nSecurity Fix(es):\n\n* undertow: possible Denial Of Service (DOS) in Undertow HTTP server listening\non HTTPS (CVE-2019-14888)\n\n* jboss-cli: JBoss EAP: Vault system property security attribute value is\nrevealed on CLI 'reload' command (CVE-2019-14885)\n\n* netty: HTTP request smuggling by mishandled whitespace before the colon in\nHTTP headers (CVE-2019-16869)\n\n* jackson-databind: polymorphic typing issue related to\ncom.zaxxer.hikari.HikariConfig (CVE-2019-14540)\n\n* jackson-databind: Serialization gadgets in classes of the commons-dbcp package\n(CVE-2019-16942)\n\n* jackson-databind: Serialization gadgets in classes of the\ncommons-configuration package (CVE-2019-14892)\n\n* jackson-databind: polymorphic typing issue related to\ncom.zaxxer.hikari.HikariDataSource (CVE-2019-16335)\n\n* jackson-databind: Serialization gadgets in classes of the p6spy package\n(CVE-2019-16943)\n\n* jackson-databind: polymorphic typing issue when enabling default typing for an\nexternally exposed JSON endpoint and having apache-log4j-extra in the classpath\nleads to code execution (CVE-2019-17531)\n\n* jackson-databind: Serialization gadgets in classes of the xalan package\n(CVE-2019-14893)\n\n* hibernate-validator: safeHTML validator allows XSS (CVE-2019-10219)\n\n* jackson-databind: Serialization gadgets in classes of the ehcache package\n(CVE-2019-17267)", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-01-20T15:35:59", "type": "redhat", "title": "(RHSA-2020:0160) Important: Red Hat JBoss Enterprise Application Platform 7.2.6 on RHEL 7 security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10219", "CVE-2019-14540", "CVE-2019-14885", "CVE-2019-14888", "CVE-2019-14892", "CVE-2019-14893", "CVE-2019-16335", "CVE-2019-16869", "CVE-2019-16942", "CVE-2019-16943", "CVE-2019-17267", "CVE-2019-17531"], "modified": "2020-01-21T02:40:19", "id": "RHSA-2020:0160", "href": "https://access.redhat.com/errata/RHSA-2020:0160", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-03T15:19:47", "description": "<< AUTOMATICALLY GENERATED, EDIT PLEASE >>\nRed Hat Single Sign-On 7.3 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications.\n\nThis release of Red Hat Single Sign-On 7.3.6 serves as a replacement for Red Hat Single Sign-On 7.3.5, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* jackson-databind: enabling default typing leads to code execution (CVE-2019-17531)\n* netty: HTTP request smuggling by mishandled whitespace before the colon in HTTP headers (CVE-2019-16869)\n* jackson-databind: Serialization gadgets in classes of the p6spy package (CVE-2019-16943)\n* jackson-databind: Serialization gadgets in classes of the commons-dbcp package (CVE-2019-16942)\n* jackson-databind: Serialization gadgets in classes of the xalan package (CVE-2019-14893)\n* jackson-databind: Serialization gadgets in classes of the commons-configuration package (CVE-2019-14892)\n* jackson-databind: Serialization gadgets in classes of the ehcache package (CVE-2019-17267)\n* jackson-databind: polymorphic typing issue related to com.zaxxer.hikari.HikariConfig (CVE-2019-14540)\n* jackson-databind: polymorphic typing issue related to com.zaxxer.hikari.HikariDataSource (CVE-2019-16335)\n* hibernate-validator: safeHTML validator allows XSS (CVE-2019-10219)\n* xstream: remote code execution due to insecure XML deserialization regression (CVE-2019-10173)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-02-06T08:32:34", "type": "redhat", "title": "(RHSA-2020:0445) Important: Red Hat Single Sign-On 7.3.6 security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10173", "CVE-2019-10219", "CVE-2019-14540", "CVE-2019-14888", "CVE-2019-14892", "CVE-2019-14893", "CVE-2019-16335", "CVE-2019-16869", "CVE-2019-16942", "CVE-2019-16943", "CVE-2019-17267", "CVE-2019-17531", "CVE-2020-1697"], "modified": "2020-08-04T05:14:44", "id": "RHSA-2020:0445", "href": "https://access.redhat.com/errata/RHSA-2020:0445", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-03T15:19:47", "description": "Red Hat Data Grid is a distributed, in-memory, NoSQL datastore based on the Infinispan project.\n\nThis release of Red Hat Data Grid 7.3.5 serves as a replacement for Red Hat Data Grid 7.3.4 and includes bug fixes and enhancements, which are described in the Release Notes, linked to in the References section of this erratum.\n\nSecurity Fix(es):\n\n* undertow: possible Denial Of Service (DOS) in Undertow HTTP server listening on HTTPS (CVE-2019-14888)\n\n* js-jquery: Cross-site scripting via cross-domain ajax requests (CVE-2015-9251)\n\n* jackson-databind: Serialization gadgets in classes of the commons-configuration package (CVE-2019-14892)\n\n* jackson-databind: Serialization gadgets in classes of the xalan package (CVE-2019-14893)\n\n* jackson-databind: polymorphic typing issue related to com.zaxxer.hikari.HikariDataSource (CVE-2019-16335)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-03-05T13:05:49", "type": "redhat", "title": "(RHSA-2020:0729) Important: Red Hat Data Grid 7.3.5 security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-9251", "CVE-2019-14888", "CVE-2019-14892", "CVE-2019-14893", "CVE-2019-16335"], "modified": "2020-03-05T13:06:21", "id": "RHSA-2020:0729", "href": "https://access.redhat.com/errata/RHSA-2020:0729", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-03T15:19:41", "description": "The Public Key Infrastructure (PKI) Core contains fundamental packages required by Red Hat Certificate System.\n\nSecurity Fix(es):\n\n* jackson-databind: Serialization gadgets in com.zaxxer.hikari.HikariConfig (CVE-2019-14540)\n\n* jackson-databind: Serialization gadgets in com.zaxxer.hikari.HikariDataSource (CVE-2019-16335)\n\n* jackson-databind: Serialization gadgets in org.apache.commons.dbcp.datasources.* (CVE-2019-16942)\n\n* jackson-databind: Serialization gadgets in com.p6spy.engine.spy.P6DataSource (CVE-2019-16943)\n\n* jackson-databind: Serialization gadgets in org.apache.log4j.receivers.db.* (CVE-2019-17531)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nAdditional Changes:\n\nFor detailed information on changes in this release, see the Red Hat Enterprise Linux 8.2 Release Notes linked from the References section.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-04-28T09:00:20", "type": "redhat", "title": "(RHSA-2020:1644) Moderate: pki-core:10.6 and pki-deps:10.6 security, bug fix, and enhancement update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-14540", "CVE-2019-16335", "CVE-2019-16942", "CVE-2019-16943", "CVE-2019-17531", "CVE-2019-20330", "CVE-2020-10672", "CVE-2020-10673", "CVE-2020-8840", "CVE-2020-9546", "CVE-2020-9547", "CVE-2020-9548"], "modified": "2021-09-29T01:30:00", "id": "RHSA-2020:1644", "href": "https://access.redhat.com/errata/RHSA-2020:1644", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-03T15:19:40", "description": "Red Hat Data Grid is a distributed, in-memory, NoSQL datastore based on the Infinispan project.\n\nThis release of Red Hat Data Grid 7.3.6 serves as a replacement for Red Hat Data Grid 7.3.5 and includes bug fixes and enhancements, which are described in the Release Notes, linked to in the References section of this erratum.\n\nSecurity Fix(es):\n\n* wildfly-core: Path traversal can allow the extraction of .war archives to write arbitrary files (Zip Slip) (CVE-2018-10862)\n\n* apache-commons-beanutils: does not suppresses the class property in PropertyUtilsBean by default (CVE-2019-10086)\n\n* netty: HTTP request smuggling by mishandled whitespace before the colon in HTTP headers (CVE-2019-16869)\n\n* netty: HTTP request smuggling (CVE-2019-20444)\n\n* netty: HttpObjectDecoder.java allows Content-Length header to accompanied by second Content-Length header (CVE-2019-20445)\n\n* netty: HTTP Request Smuggling due to Transfer-Encoding whitespace mishandling (CVE-2020-7238)\n\n* thrift: Endless loop when feed with specific input data (CVE-2019-0205)\n\n* thrift: Out-of-bounds read related to TJSONProtocol or TSimpleJSONProtocol (CVE-2019-0210)\n\n* hibernate-validator: safeHTML validator allows XSS (CVE-2019-10219)\n\n* jackson-databind: Serialization gadgets in com.zaxxer.hikari.HikariConfig (CVE-2019-14540)\n\n* jackson-databind: Serialization gadgets in org.apache.commons.dbcp.datasources.* (CVE-2019-16942)\n\n* jackson-databind: Serialization gadgets in com.p6spy.engine.spy.P6DataSource (CVE-2019-16943)\n\n* jackson-databind: Serialization gadgets in classes of the ehcache package (CVE-2019-17267)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-05-26T16:02:16", "type": "redhat", "title": "(RHSA-2020:2321) Important: Red Hat Data Grid 7.3.6 security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-10862", "CVE-2019-0205", "CVE-2019-0210", "CVE-2019-10086", "CVE-2019-10219", "CVE-2019-14540", "CVE-2019-16869", "CVE-2019-16942", "CVE-2019-16943", "CVE-2019-17267", "CVE-2019-20444", "CVE-2019-20445", "CVE-2020-7238"], "modified": "2020-05-26T16:02:42", "id": "RHSA-2020:2321", "href": "https://access.redhat.com/errata/RHSA-2020:2321", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2023-06-03T15:19:48", "description": "Red Hat AMQ Streams, based on the Apache Kafka project, offers a distributed backbone that allows microservices and other applications to share data with extremely high throughput and extremely low latency. \n\nThis release of Red Hat AMQ Streams 1.3.0 serves as a replacement for Red Hat AMQ Streams 1.2.0, and includes security and bug fixes, and enhancements. For further information, refer to the release notes linked to in the References section.\n\nSecurity Fix(es):\n\n* jackson-databind: failure to block the logback-core class from polymorphic deserialization leading to remote code execution (CVE-2019-12384)\n\n* jackson-databind: default typing mishandling leading to remote code execution (CVE-2019-14379)\n\n* jackson-databind: polymorphic typing issue allows attacker to read arbitrary local files on the server (CVE-2019-12086)\n\n* jackson-databind: polymorphic typing issue allows attacker to read arbitrary local files on the server via crafted JSON message (CVE-2019-12814)\n\n* jackson-databind: Polymorphic typing issue related to logback/JNDI (CVE-2019-14439)\n\n* jackson-databind: polymorphic typing issue related to com.zaxxer.hikari.HikariConfig (CVE-2019-14540)\n\n* jackson-databind: polymorphic typing issue related to com.zaxxer.hikari.HikariDataSource (CVE-2019-16335)\n\n* jackson-databind: Serialization gadgets in classes of the ehcache package (CVE-2019-17267)\n\n* jackson-databind: Serialization gadgets in classes of the commons-configuration package (no CVE assigned) \n\n* jackson-databind: Serialization gadgets in classes of the xalan package (no CVE assigned) \n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-10-24T09:16:50", "type": "redhat", "title": "(RHSA-2019:3200) Moderate: Red Hat AMQ Streams 1.3.0 release and security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-12086", "CVE-2019-12384", "CVE-2019-12814", "CVE-2019-14379", "CVE-2019-14439", "CVE-2019-14540", "CVE-2019-16335", "CVE-2019-17267"], "modified": "2019-10-31T16:33:31", "id": "RHSA-2019:3200", "href": "https://access.redhat.com/errata/RHSA-2019:3200", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-03T15:19:47", "description": "Red Hat AMQ Streams, based on the Apache Kafka project, offers a distributed backbone that allows microservices and other applications to share data with extremely high throughput and extremely low latency. \n\nThis release of Red Hat AMQ Streams 1.4.0 serves as a replacement for Red Hat AMQ Streams 1.3.0, and includes security and bug fixes, and enhancements. For further information, refer to the release notes linked to in the References section.\n\nSecurity Fix(es):\n\n* netty: HTTP Request Smuggling due to Transfer-Encoding whitespace mishandling (CVE-2020-7238)\n\n* netty: HttpObjectDecoder.java allows Content-Length header to accompanied by second Content-Length header (CVE-2019-20445)\n\n* netty: HTTP request smuggling (CVE-2019-20444)\n\n* jackson-databind: Serialization gadgets in classes of the commons-dbcp package (CVE-2019-16942)\n\n* jackson-databind: Serialization gadgets in classes of the p6spy package (CVE-2019-16943)\n\n* jackson-databind: polymorphic typing issue when enabling default typing for an externally exposed JSON endpoint and having apache-log4j-extra in the classpath leads to code execution (CVE-2019-17531)\n\n* jackson-databind: lacks certain net.sf.ehcache blocking (CVE-2019-20330)\n\n* kafka: Connect REST API exposes plaintext secrets in tasks endpoint (CVE-2019-12399)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-03-23T13:14:04", "type": "redhat", "title": "(RHSA-2020:0939) Important: Red Hat AMQ Streams 1.4.0 release and security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-12399", "CVE-2019-16942", "CVE-2019-16943", "CVE-2019-17531", "CVE-2019-20330", "CVE-2019-20444", "CVE-2019-20445", "CVE-2020-7238"], "modified": "2020-03-23T13:14:27", "id": "RHSA-2020:0939", "href": "https://access.redhat.com/errata/RHSA-2020:0939", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-03T15:19:40", "description": "Red Hat JBoss Enterprise Application Platform CD19 is a platform for Java applications based on the WildFly application runtime.\n\nThis release of Red Hat JBoss Enterprise Application Platform CD19 includes bug fixes and enhancements. \n\nSecurity Fix(es):\n\n* apache-commons-beanutils: does not suppresses the class property in PropertyUtilsBean by default (CVE-2019-10086)\n\n* infinispan: invokeAccessibly method from ReflectionUtil class allows to invoke private methods (CVE-2019-10174)\n\n* undertow: possible Denial Of Service (DOS) in Undertow HTTP server listening on HTTPS (CVE-2019-14888)\n\n* netty: HTTP request smuggling by mishandled whitespace before the colon in HTTP headers (CVE-2019-16869)\n\n* netty: HTTP request smuggling (CVE-2019-20444)\n\n* netty: HttpObjectDecoder.java allows Content-Length header to accompanied by second Content-Length header (CVE-2019-20445)\n\n* undertow: AJP File Read/Inclusion Vulnerability (CVE-2020-1745)\n\n* netty: HTTP Request Smuggling due to Transfer-Encoding whitespace mishandling (CVE-2020-7238)\n\n* jackson-databind: Serialization gadgets in org.aoju.bus.proxy.provider.*.RmiProvider (CVE-2020-10968)\n\n* jackson-databind: Serialization gadgets in javax.swing.JEditorPane (CVE-2020-10969)\n\n* jackson-databind: Serialization gadgets in org.apache.activemq.jms.pool.XaPooledConnectionFactory (CVE-2020-11111)\n\n* jackson-databind: Serialization gadgets in org.apache.commons.proxy.provider.remoting.RmiProvider (CVE-2020-11112)\n\n* jackson-databind: Serialization gadgets in org.apache.openjpa.ee.WASRegistryManagedRuntime (CVE-2020-11113)\n\n* thrift: Endless loop when feed with specific input data (CVE-2019-0205)\n\n* thrift: Out-of-bounds read related to TJSONProtocol or TSimpleJSONProtocol (CVE-2019-0210)\n\n* cxf: OpenId Connect token service does not properly validate the clientId (CVE-2019-12419)\n\n* cxf: OpenId Connect token service does not properly validate the clientId (CVE-2019-12423)\n\n* jackson-databind: Serialization gadgets in com.zaxxer.hikari.HikariConfig (CVE-2019-14540)\n\n* wildfly: The 'enabled-protocols' value in legacy security is not respected if OpenSSL security provider is in use (CVE-2019-14887)\n\n* jackson-databind: Serialization gadgets in classes of the commons-configuration package (CVE-2019-14892)\n\n* jackson-databind: Serialization gadgets in classes of the xalan package (CVE-2019-14893)\n\n* jackson-databind: Serialization gadgets in com.zaxxer.hikari.HikariDataSource (CVE-2019-16335)\n\n* jackson-databind: Serialization gadgets in org.apache.commons.dbcp.datasources.* (CVE-2019-16942)\n\n* jackson-databind: Serialization gadgets in com.p6spy.engine.spy.P6DataSource (CVE-2019-16943)\n\n* jackson-databind: Serialization gadgets in classes of the ehcache package (CVE-2019-17267)\n\n* jackson-databind: Serialization gadgets in org.apache.log4j.receivers.db.* (CVE-2019-17531)\n\n* cxf: reflected XSS in the services listing page (CVE-2019-17573)\n\n* jackson-databind: lacks certain net.sf.ehcache blocking (CVE-2019-20330)\n\n* resteasy: Improper validation of response header in MediaTypeHeaderDelegate.java class (CVE-2020-1695)\n\n* jackson-databind: Serialization gadgets in ibatis-sqlmap (CVE-2020-9547)\n\n* jackson-databind: mishandles the interaction between serialization gadgets and typing which could result in remote command execution (CVE-2020-10672)\n\n* RESTEasy: RESTEASY003870 exception in RESTEasy can lead to a reflected XSS attack (CVE-2020-10688)\n\n* Soteria: security identity corruption across concurrent threads (CVE-2020-1732)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-05-28T15:47:01", "type": "redhat", "title": "(RHSA-2020:2333) Important: EAP Continuous Delivery Technical Preview Release 19 security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0205", "CVE-2019-0210", "CVE-2019-10086", "CVE-2019-10174", "CVE-2019-12419", "CVE-2019-12423", "CVE-2019-14540", "CVE-2019-14887", "CVE-2019-14888", "CVE-2019-14892", "CVE-2019-14893", "CVE-2019-16335", "CVE-2019-16869", "CVE-2019-16942", "CVE-2019-16943", "CVE-2019-17267", "CVE-2019-17531", "CVE-2019-17573", "CVE-2019-20330", "CVE-2019-20444", "CVE-2019-20445", "CVE-2020-10672", "CVE-2020-10688", "CVE-2020-10968", "CVE-2020-10969", "CVE-2020-11111", "CVE-2020-11112", "CVE-2020-11113", "CVE-2020-1695", "CVE-2020-1732", "CVE-2020-1745", "CVE-2020-7238", "CVE-2020-9547"], "modified": "2020-05-28T15:47:33", "id": "RHSA-2020:2333", "href": "https://access.redhat.com/errata/RHSA-2020:2333", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2023-06-03T15:19:48", "description": "The jackson-databind package provides general data-binding functionality for Jackson, which works on top of Jackson core streaming API.\n\nSecurity Fix(es):\n\n* jackson-databind: polymorphic typing issue when enabling default typing for an externally exposed JSON endpoint and having apache-log4j-extra in the classpath leads to code execution (CVE-2019-17531)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-12-10T15:26:25", "type": "redhat", "title": "(RHSA-2019:4192) Important: rh-maven35-jackson-databind security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-17531"], "modified": "2019-12-10T16:02:26", "id": "RHSA-2019:4192", "href": "https://access.redhat.com/errata/RHSA-2019:4192", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "ibm": [{"lastseen": "2023-02-24T01:39:59", "description": "## Summary\n\nIBM C\u00faram Social Program Management uses the FasterXML Jackson libraries, for which there are five publicly known vulnerabilities. All of the vulnerabilities, which are caused by various polymorphic typing issues, could enable a remote attacker to obtain sensitive information. \n\n## Vulnerability Details\n\nCVE-ID: CVE-2019-17531 \nDescription: A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the apache-log4j-extra (version 1.2.x) jar in the classpath, and an attacker can provide a JNDI service to access, it is possible to make the service execute a malicious payload. \n_CVSS Base Score: 9.8 \nCVSS Temporal Score: <https://exchange.xforce.ibmcloud.com/vulnerabilities/169073> for more information \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)_\n\nCVE-ID: CVE-2019-17267 \nDescription: A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup. \n_CVSS Base Score: 7.3 \nCVSS Temporal Score: <https://exchange.xforce.ibmcloud.com/vulnerabilities/168514> for more information \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)_\n\nCVE-ID: CVE-2019-16942 \nDescription: A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the commons-dbcp (1.4) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of org.apache.commons.dbcp.datasources.SharedPoolDataSource and org.apache.commons.dbcp.datasources.PerUserPoolDataSource mishandling. \n_CVSS Base Score: 9.8 \nCVSS Temporal Score: <https://exchange.xforce.ibmcloud.com/vulnerabilities/168254> for more information \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)_\n\nCVE-ID: CVE-2019-16335 \nDescription: A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariDataSource. This is a different vulnerability than CVE-2019-14540. \n_CVSS Base Score: 5.3 \nCVSS Temporal Score: <https://exchange.xforce.ibmcloud.com/vulnerabilities/167205> for more information \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)_\n\nCVE-ID: CVE-2019-14540 \nDescription: A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariConfig. \n_CVSS Base Score: 5.3 \nCVSS Temporal Score: <https://exchange.xforce.ibmcloud.com/vulnerabilities/167354> for more information \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)_\n\n## Affected Products and Versions\n\nIBM C\u00faram Social Program Management 7.0.5.0 - 7.0.8.0\n\nIBM C\u00faram Social Program Management 7.0.0.0 - 7.0.4.4\n\n## Remediation/Fixes\n\n_Product_ | _VRMF_ | _Remediation/First Fix_ \n---|---|--- \nC\u00faram SPM | \n\n7.0.9\n\n| Visit IBM Fix Central and upgrade to [7.0.9](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Smarter%20Cities&product=ibm/Other+software/Curam+Social+Program+Management&release=7.0.9.0_RP&platform=All&function=all>) or a subsequent 7.0.9 release. \nC\u00faram SPM | \n\n7.0.4.4\n\n| Visit IBM Fix Central and upgrade to [7.0.4.4_iFix1](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Smarter%20Cities&product=ibm/Other+software/Curam+Social+Program+Management&release=7.0.4.4&platform=All&function=all>) or a subsequent 7.0.4 release. \n \n## Workarounds and Mitigations\n\nFor information about all other versions, contact IBM C\u00faram Social Program Management customer support.\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-12-17T09:46:05", "type": "ibm", "title": "Security Bulletin: Vulnerabilities in FasterXML Jackson libraries affect IBM C\u00faram Social Program Management (CVE-2019-17531, CVE-2019-17267, CVE-2019-16942, CVE-2019-16335, CVE-2019-14540)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-14540", "CVE-2019-16335", "CVE-2019-16942", "CVE-2019-17267", "CVE-2019-17531"], "modified": "2019-12-17T09:46:05", "id": "03691F1EE0B131D78EA0BD89002CC0B602DB37A603D015DF70107A778260C592", "href": "https://www.ibm.com/support/pages/node/1136572", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-24T01:38:45", "description": "## Summary\n\nSecurity vulnerabilities affect IBM Cloud Object Storage SDK Java. These vulnerabilities have been addressed in the latest SDK 2.5.5 release.\n\n## Vulnerability Details\n\n**CVEID: **[CVE-2019-16335](<https://vulners.com/cve/CVE-2019-16335>) \n**DESCRIPTION: **A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariDataSource. This is a different vulnerability than CVE-2019-14540. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/167205](<https://exchange.xforce.ibmcloud.com/vulnerabilities/167205>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) \n\n** CVEID: **[CVE-2019-17267](<https://vulners.com/cve/CVE-2019-17267>) \n**DESCRIPTION: **A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup. \nCVSS Base score: 7.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/168514](<https://exchange.xforce.ibmcloud.com/vulnerabilities/168514>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) \n\n** CVEID: **[CVE-2019-16943](<https://vulners.com/cve/CVE-2019-16943>) \n**DESCRIPTION: **A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the p6spy (3.8.6) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of com.p6spy.engine.spy.P6DataSource mishandling. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/168255](<https://exchange.xforce.ibmcloud.com/vulnerabilities/168255>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n\n** CVEID: **[CVE-2019-16942](<https://vulners.com/cve/CVE-2019-16942>) \n**DESCRIPTION: **A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the commons-dbcp (1.4) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of org.apache.commons.dbcp.datasources.SharedPoolDataSource and org.apache.commons.dbcp.datasources.PerUserPoolDataSource mishandling. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/168254](<https://exchange.xforce.ibmcloud.com/vulnerabilities/168254>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n\n**CVEID: **CVE-2019-14540 \n**DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to obtain sensitive information, caused by a polymorphic typing issue in com.zaxxer.hikari.HikariConfig. A remote attacker could exploit this vulnerability to obtain sensitive information. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/167354 for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n## Affected Products and Versions\n\nAffected Product(s) | Version(s) \n---|--- \nCOS SDK Java | Prior to 2.5.5 \n \n## Remediation/Fixes\n\n**_IBM COS SDK Releases_** **IBM COS SDK Releases** | **Link to Fix / Fix Availability Target** \n---|--- \n[COS SDK Java 2.5.5](<https://github.com/IBM/ibm-cos-sdk-java/tree/2.4.2>) | \n\n<https://github.com/IBM/ibm-cos-sdk-java/tree/2.5.5> \n \n## Workarounds and Mitigations\n\n**_IBM COS SDK Releases_** **IBM COS SDK Releases** | **Link to Fix / Fix Availability Target** \n---|--- \n[COS SDK Java 2.5.5](<https://github.com/IBM/ibm-cos-sdk-java/tree/2.4.2>) | \n\n<https://github.com/IBM/ibm-cos-sdk-java/tree/2.5.5> \n \n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-01-17T17:16:46", "type": "ibm", "title": "Security Bulletin: Security vulnerabilities affect IBM Cloud Object Storage SDK Java (November 2019 Bulletin)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-14540", "CVE-2019-16335", "CVE-2019-16942", "CVE-2019-16943", "CVE-2019-17267"], "modified": "2020-01-17T17:16:46", "id": "FE682ECFC10CBB3EA19CC98A95397F776F34168220DD72550FAE4CF5E216A9CC", "href": "https://www.ibm.com/support/pages/node/1105671", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-24T01:39:59", "description": "## Summary\n\nMultiple vulnerabilities exist in the Jackson databind, core, and annotations version used by IBM Spectrum Symphony V7.3, V7.2.1, V7.2.0.2, and V7.1.2, and IBM Platform Symphony V7.1.1 and V7.1 Fix Pack 1. Interim fixes that provide instructions on upgrading the Jackson databind, core, and annotations package to version 2.10.1 (which resolves these vulnerabilities) are available on IBM Fix Central. \n\n## Vulnerability Details\n\n**CVEID: **[CVE-2019-17531](<https://vulners.com/cve/CVE-2019-17531>) \n**DESCRIPTION: **A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the apache-log4j-extra (version 1.2.x) jar in the classpath, and an attacker can provide a JNDI service to access, it is possible to make the service execute a malicious payload. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/169073](<https://exchange.xforce.ibmcloud.com/vulnerabilities/169073>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n\n \n**CVEID: **[CVE-2019-16943](<https://vulners.com/cve/CVE-2019-16943>) \n**DESCRIPTION: **A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the p6spy (3.8.6) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of com.p6spy.engine.spy.P6DataSource mishandling. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/168255](<https://exchange.xforce.ibmcloud.com/vulnerabilities/168255>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n\n \n**CVEID: **[CVE-2019-16942](<https://vulners.com/cve/CVE-2019-16942>) \n**DESCRIPTION: **A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the commons-dbcp (1.4) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of org.apache.commons.dbcp.datasources.SharedPoolDataSource and org.apache.commons.dbcp.datasources.PerUserPoolDataSource mishandling. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/168254](<https://exchange.xforce.ibmcloud.com/vulnerabilities/168254>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n\n \n**CVEID: **[CVE-2019-17267](<https://vulners.com/cve/CVE-2019-17267>) \n**DESCRIPTION: **A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup. \nCVSS Base score: 7.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/168514](<https://exchange.xforce.ibmcloud.com/vulnerabilities/168514>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)\n\n## Affected Products and Versions\n\nAffected Product(s) | Version(s) \n---|--- \nIBM Spectrum Symphony | 7.3 \nIBM Spectrum Symphony | 7.2.1 \nIBM Spectrum Symphony | 7.2.0.2 \nIBM Spectrum Symphony | 7.1.2 \nIBM Platform Symphony | 7.1.1 \nIBM Platform Symphony | 7.1 Fix Pack 1 \n \n## Remediation/Fixes\n\nIBM Spectrum Symphony 7.3 | [sym-7.3-build535377](<http://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm/Other+software/IBM+Spectrum+Symphony&release=All&platform=All&function=fixId&fixids=sym-7.3-build535377&includeSupersedes=0>) \n---|--- \nIBM Spectrum Symphony 7.2.1 | [sym-7.2.1-build535376](<http://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm/Other+software/IBM+Spectrum+Symphony&release=All&platform=All&function=fixId&fixids=sym-7.2.1-build535376&includeSupersedes=0>) \nIBM Spectrum Symphony 7.2.0.2 | [sym-7.2.0.2-build535375](<http://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm/Other+software/IBM+Spectrum+Symphony&release=All&platform=All&function=fixId&fixids=sym-7.2.0.2-build535375&includeSupersedes=0>) \nIBM Spectrum Symphony 7.1.2 | \n\n[sym-7.1.2-build535374](<http://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm/Other+software/IBM+Spectrum+Symphony&release=All&platform=All&function=fixId&fixids=sym-7.1.2-build535374&includeSupersedes=0>) \n \nIBM Platform Symphony 7.1.1 | [sym-7.1.1-build535373](<http://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm/Other+software/Platform+Symphony&release=All&platform=All&function=fixId&fixids=sym-7.1.1-build535373&includeSupersedes=0>) \nIBM Platform Symphony 7.1 Fix Pack 1 | [sym-7.1-build535372](<http://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm/Other+software/Platform+Symphony&release=All&platform=All&function=fixId&fixids=sym-7.1-build535372&includeSupersedes=0>) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-12-17T02:33:42", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in jackson-databind affect IBM Platform Symphony and IBM Spectrum Symphony", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-16942", "CVE-2019-16943", "CVE-2019-17267", "CVE-2019-17531"], "modified": "2019-12-17T02:33:42", "id": "D76879E8E9C0967E4A6B7FF8216C0847B633BB1DAC32CEE31E4544A60A45BA68", "href": "https://www.ibm.com/support/pages/node/1137232", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-24T05:44:32", "description": "## Summary\n\nThere are multiple security vulnerabilities in FasterXML Jackson-databind that affect IBM Spectrum Protect Plus.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2019-16943](<https://vulners.com/cve/CVE-2019-16943>) \n** DESCRIPTION: **A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the p6spy (3.8.6) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of com.p6spy.engine.spy.P6DataSource mishandling. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/168255](<https://exchange.xforce.ibmcloud.com/vulnerabilities/168255>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2019-16942](<https://vulners.com/cve/CVE-2019-16942>) \n** DESCRIPTION: **A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the commons-dbcp (1.4) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of org.apache.commons.dbcp.datasources.SharedPoolDataSource and org.apache.commons.dbcp.datasources.PerUserPoolDataSource mishandling. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/168254](<https://exchange.xforce.ibmcloud.com/vulnerabilities/168254>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2019-17531](<https://vulners.com/cve/CVE-2019-17531>) \n** DESCRIPTION: **A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the apache-log4j-extra (version 1.2.x) jar in the classpath, and an attacker can provide a JNDI service to access, it is possible to make the service execute a malicious payload. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/169073](<https://exchange.xforce.ibmcloud.com/vulnerabilities/169073>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2019-17267](<https://vulners.com/cve/CVE-2019-17267>) \n** DESCRIPTION: **A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup. \nCVSS Base score: 7.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/168514](<https://exchange.xforce.ibmcloud.com/vulnerabilities/168514>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) \n \n** CVEID: **[CVE-2019-14540](<https://vulners.com/cve/CVE-2019-14540>) \n** DESCRIPTION: **A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariConfig. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/167354](<https://exchange.xforce.ibmcloud.com/vulnerabilities/167354>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) \n \n** CVEID: **[CVE-2019-16335](<https://vulners.com/cve/CVE-2019-16335>) \n** DESCRIPTION: **A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariDataSource. This is a different vulnerability than CVE-2019-14540. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/167205](<https://exchange.xforce.ibmcloud.com/vulnerabilities/167205>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) \n \n** CVEID: **[CVE-2019-14379](<https://vulners.com/cve/CVE-2019-14379>) \n** DESCRIPTION: **SubTypeValidator.java in FasterXML jackson-databind before 2.9.9.2 mishandles default typing when ehcache is used (because of net.sf.ehcache.transaction.manager.DefaultTransactionManagerLookup), leading to remote code execution. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/165286](<https://exchange.xforce.ibmcloud.com/vulnerabilities/165286>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2019-14439](<https://vulners.com/cve/CVE-2019-14439>) \n** DESCRIPTION: **A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9.2. This occurs when Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the logback jar in the classpath. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/164744](<https://exchange.xforce.ibmcloud.com/vulnerabilities/164744>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n## Affected Products and Versions\n\n**Affected Product(s)**| **Version(s)** \n---|--- \nIBM Spectrum Protect Plus| 10.1.0-10.1.5 \n \n## Remediation/Fixes\n\n**Spectrum Protect** \n**Plus Release**| **First Fixing** \n**VRM Level**| **Platform**| **Link to Fix** \n---|---|---|--- \n10.1| 10.1.5 patch1| Linux| <http://www.ibm.com/support/docview.wss?uid=ibm11072392> \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-02-22T00:15:15", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in FasterXML Jackson-databind affect IBM Spectrum Protect Plus (CVE-2019-16943, CVE-2019-16942, CVE-2019-17531, CVE-2019-17267, CVE-2019-14540, CVE-2019-16335, CVE-2019-14379, CVE-2019-14439)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-14379", "CVE-2019-14439", "CVE-2019-14540", "CVE-2019-16335", "CVE-2019-16942", "CVE-2019-16943", "CVE-2019-17267", "CVE-2019-17531"], "modified": "2020-02-22T00:15:15", "id": "8677F08636676A812666D9173BE281822A35EA2589B586A211824F7B588BD018", "href": "https://www.ibm.com/support/pages/node/3176397", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-27T21:53:20", "description": "## Summary\n\nMultiple security vulnerabilities have been Identified In Jackson Databind library shipped with IBM Global Mailbox\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2020-8840](<https://vulners.com/cve/CVE-2020-8840>) \n** DESCRIPTION: **An unspecified error with the lack of certain xbean-reflect/JNDI blocking in FasterXML jackson-databind has an unknown impact and attack vector. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/176241](<https://exchange.xforce.ibmcloud.com/vulnerabilities/176241>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) \n \n** CVEID: **[CVE-2019-14540](<https://vulners.com/cve/CVE-2019-14540>) \n** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to obtain sensitive information, caused by a polymorphic typing issue in com.zaxxer.hikari.HikariConfig. A remote attacker could exploit this vulnerability to obtain sensitive information. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/167354](<https://exchange.xforce.ibmcloud.com/vulnerabilities/167354>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) \n \n** CVEID: **[CVE-2019-16942](<https://vulners.com/cve/CVE-2019-16942>) \n** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by a polymorphic typing issue in the commons-dbcp class. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/168254](<https://exchange.xforce.ibmcloud.com/vulnerabilities/168254>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2019-16943](<https://vulners.com/cve/CVE-2019-16943>) \n** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by a polymorphic typing issue in the p6spy class. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/168255](<https://exchange.xforce.ibmcloud.com/vulnerabilities/168255>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2019-17267](<https://vulners.com/cve/CVE-2019-17267>) \n** DESCRIPTION: **FasterXML jackson-databind could provide weaker than expected security, caused by a polymorphic typing issue in the net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup. A remote attacker could exploit this vulnerability to launch further attacks on the system. \nCVSS Base score: 7.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/168514](<https://exchange.xforce.ibmcloud.com/vulnerabilities/168514>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) \n \n** CVEID: **[CVE-2019-20330](<https://vulners.com/cve/CVE-2019-20330>) \n** DESCRIPTION: **A lacking of certain net.sf.ehcache blocking in FasterXML jackson-databind has an unknown impact and attack vector. \nCVSS Base score: 7.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/173897](<https://exchange.xforce.ibmcloud.com/vulnerabilities/173897>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) \n \n** CVEID: **[CVE-2019-12814](<https://vulners.com/cve/CVE-2019-12814>) \n** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to obtain sensitive information, caused by a polymorphic typing issue. By sending a specially-crafted JSON message, an attacker could exploit this vulnerability to read arbitrary local files on the server. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/162875](<https://exchange.xforce.ibmcloud.com/vulnerabilities/162875>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) \n \n** CVEID: **[CVE-2019-17531](<https://vulners.com/cve/CVE-2019-17531>) \n** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by a polymorphic typing issue when Default Typing is enabled. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/169073](<https://exchange.xforce.ibmcloud.com/vulnerabilities/169073>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2019-16335](<https://vulners.com/cve/CVE-2019-16335>) \n** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to obtain sensitive information, caused by a polymorphic typing issue in com.zaxxer.hikari.HikariDataSource. A remote attacker could exploit this vulnerability to obtain sensitive information. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/167205](<https://exchange.xforce.ibmcloud.com/vulnerabilities/167205>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM Global High Availability Mailbox| 6.0.2 \nIBM Global High Availability Mailbox| 6.0.2 \nIBM Global High Availability Mailbox| 6.0.2 \nIBM Global High Availability Mailbox| 6.0.2 \nIBM Global High Availability Mailbox| 6.0.2 \nB2Bi| 6.0.0.0 - 6.0.2.0 \nIBM Global High Availability Mailbox| 6.0.2 \nIBM Global High Availability Mailbox| 6.0.2 \n \n\n\n## Remediation/Fixes\n\nRefer to the following security bulletins for vulnerability details and information about fixes addressed by Jackson Databind library which is/are shipped with Global Mailbox.\n\nPrincipal Product and Version(s)\n\n| \n\nAffected Supporting Product and Version\n\n| \n\nAffected Supporting Product Security Bulletin \n \n---|---|--- \n \nGlobal Mailbox version 6.0.3.2 \n\n| \n\nJackson Databind Library version 2.10.2\n\n| \n\n[CVE-2019-12814](<https://www.ibm.com/support/pages/security-bulletin-vulnerability-jackson-databind-affects-ibm-global-high-availability-mailbox-cve-2019-12814> \"CVE-2019-12814\" )\n\n[CVE-2019-16335](<https://www.ibm.com/support/pages/security-bulletin-vulnerability-affecting-ibm-network-performance-insight-cve-2019-16335-0> \"CVE-2019-16335\" )\n\n[CVE-2019-14540](<https://www.ibm.com/support/pages/security-bulletin-vulnerability-has-been-identified-fasterxml-jackson-library-shipped-ibm-tivoli-netcoolomnibus-common-integration-libraries-cve-2019-14540> \"CVE-2019-14540\" )\n\n[CVE-2019-16942, CVE-2019-16943](<https://www.ibm.com/support/pages/security-bulletin-vulnerabilities-fasterxml-jackson-libraries-affect-ibm-c%C3%BAram-social-program-management-cve-2019-17531-cve-2019-17267-cve-2019-16942-cve-2019-16335-cve-2019-14540> \"CVE-2019-16942, CVE-2019-16943\" )\n\n<https://www.ibm.com/support/pages/security-bulletin-ibm-watson-discovery-ibm-cloud-pak-data-affected-vulnerability-fasterxml-jackson-databind-2>\n\n[CVE-2019-17267](<https://www.ibm.com/support/pages/security-bulletin-vulnerabilities-fasterxml-jackson-libraries-affect-ibm-c%C3%BAram-social-program-management-cve-2019-17531-cve-2019-17267-cve-2019-16942-cve-2019-16335-cve-2019-14540> \"CVE-2019-17267\" )\n\n[CVE-2019-17531](<https://www.ibm.com/support/pages/security-bulletin-vulnerabilities-fasterxml-jackson-libraries-affect-ibm-c%C3%BAram-social-program-management-cve-2019-17531-cve-2019-17267-cve-2019-16942-cve-2019-16335-cve-2019-14540> \"CVE-2019-17531\" )\n\n[CVE-2019-20330](<https://www.ibm.com/support/pages/security-bulletin-vulnerability-fasterxml-jackson-libraries-affect-ibm-c%C3%BAram-social-program-management-cve-2019-20330> \"CVE-2019-20330\" )\n\n[CVE-2020-8840](<https://www.ibm.com/support/pages/node/6172383> \"CVE-2020-8840\" ) \n \n** **\n\n** **\n\nVersion 6.0.3.2 is now available on Fix Central.\n\n**IM images**\n\nSterling B2B Integrator\n\n[http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FOther+software%2FSterling+B2B+Integrator&fixids=6.0.3.2-OtherSoftware-B2Bi-All&source=SAR](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FOther+software%2FSterling+B2B+Integrator&fixids=6.0.3.2-OtherSoftware-B2Bi-All&source=SAR>)\n\nSterling File Gateway\n\n[http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FOther+software%2FSterling+File+Gateway&fixids=6.0.3.2-OtherSoftware-SFG-All&source=SAR](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FOther+software%2FSterling+File+Gateway&fixids=6.0.3.2-OtherSoftware-SFG-All&source=SAR>)\n\n**Docker Images**\n\nSterling B2B Integrator\n\n[http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FOther+software%2FSterling+B2B+Integrator&fixids=6.0.3.2-OtherSoftware-B2Bi-Docker-All&source=SAR](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FOther+software%2FSterling+B2B+Integrator&fixids=6.0.3.2-OtherSoftware-B2Bi-Docker-All&source=SAR>)\n\nSterling File Gateway\n\n[http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FOther+software%2FSterling+File+Gateway&fixids=6.0.3.2-OtherSoftware-SFG-Docker-All&source=SAR](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FOther+software%2FSterling+File+Gateway&fixids=6.0.3.2-OtherSoftware-SFG-Docker-All&source=SAR>)\n\n** **\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-07-24T17:07:55", "type": "ibm", "title": "Security Bulletin: Multiple security vulnerabilities have been Identified In Jackson Databind library shipped with IBM Global Mailbox", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-12814", "CVE-2019-14540", "CVE-2019-16335", "CVE-2019-16942", "CVE-2019-16943", "CVE-2019-17267", "CVE-2019-17531", "CVE-2019-20330", "CVE-2020-8840"], "modified": "2020-07-24T17:07:55", "id": "31D7DCC8D683A82E44671DA5A38CDC1A58877727926C937FE8D9FD9EE9FD2370", "href": "https://www.ibm.com/support/pages/node/6209044", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-27T21:53:22", "description": "## Summary\n\nIBM Sterling B2B Integrator has addressed multiple security vulnerabilities in jackson-databind\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2019-14892](<https://vulners.com/cve/CVE-2019-14892>) \n** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization when using commons-configuration 1 and 2 JNDI classes. By sending specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/177106](<https://exchange.xforce.ibmcloud.com/vulnerabilities/177106>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2019-14893](<https://vulners.com/cve/CVE-2019-14893>) \n** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization when using the xalan JNDI gadget. By sending specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/177108](<https://exchange.xforce.ibmcloud.com/vulnerabilities/177108>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM Sterling B2B Integrator| 6.0.0.0 - 6.0.3.1 \nIBM Sterling B2B Integrator| 5.2.6.2 - 5.2.6.5_1 \n \n## Remediation/Fixes\n\n** Product & Version**| ** Remediation & Fix** \n---|--- \n5.2.6.2 - 5.2.6.5_1 B2B API| Apply IBM Sterling B2B Integrator version 5.2.6.5_2 and 6.0.3.2 on [Fix Central](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Other%2Bsoftware&product=ibm/Other+software/Sterling+B2B+Integrator&release=All&platform=All&function=all>) \n6.0.0.0 - 6.0.3.1 B2B API| Apply IBM Sterling B2B Integrator version 6.0.3.2 on [Fix Central](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Other%2Bsoftware&product=ibm/Other+software/Sterling+B2B+Integrator&release=All&platform=All&function=all>) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-07-24T17:07:55", "type": "ibm", "title": "Security Bulletin: Multiple Security Vulnerabilities in Jackson-databind Affect B2B API of IBM Sterling B2B Integrator", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-14892", "CVE-2019-14893"], "modified": "2020-07-24T17:07:55", "id": "9E2B2130333F7B296A139DA27C7C1DFF42D07DAB80C79514BA01F6BD2399CA84", "href": "https://www.ibm.com/support/pages/node/6210298", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-27T21:52:24", "description": "## Summary\n\njackson-databind (Publicly disclosed vulnerability) found in Network Performance Insight (CVE-2019-14892, CVE-2019-14893)\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2019-14892](<https://vulners.com/cve/CVE-2019-14892>) \n** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization when using commons-configuration 1 and 2 JNDI classes. By sending specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/177106](<https://exchange.xforce.ibmcloud.com/vulnerabilities/177106>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2019-14893](<https://vulners.com/cve/CVE-2019-14893>) \n** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization when using the xalan JNDI gadget. By sending specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/177108](<https://exchange.xforce.ibmcloud.com/vulnerabilities/177108>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM Network Performance Insight| 1.3 \nIBM Network Performance Insight| 1.3.1 \n \n\n\n## Remediation/Fixes\n\nFix of this vulnerability is addressed in following interim fix releases. \n\n1) NPI 1.3.1 \nInterim Fix Name: 1.3.1.0-TIV-NPI-IF0003 \nDirect Interim Fix URL: [http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FTivoli%2FNetwork+Performance+Insight&fixids=1.3.1.0-TIV-NPI-IF0003](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FTivoli%2FNetwork+Performance+Insight&fixids=1.3.1.0-TIV-NPI-IF0003>)\n\n2) NPI 1.3 \nInterim Fix Name: 1.3.0.0-TIV-NPI-IF0007 \nDirect Interim Fix URL: [http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FTivoli%2FNetwork+Performance+Insight&fixids=1.3.0.0-TIV-NPI-IF0007&source=SAR](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FTivoli%2FNetwork+Performance+Insight&fixids=1.3.0.0-TIV-NPI-IF0007&source=SAR>)\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-08-04T19:14:01", "type": "ibm", "title": "Security Bulletin: jackson-databind (Publicly disclosed vulnerability) found in Network Performance Insight (CVE-2019-14892, CVE-2019-14893)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-14892", "CVE-2019-14893"], "modified": "2020-08-04T19:14:01", "id": "8450E3844A56758A6756AAD90428DBE81790CEE3008B7F3BE6DC26A4C36196CB", "href": "https://www.ibm.com/support/pages/node/6256136", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-27T21:53:23", "description": "## Summary\n\nMultiple security vulnerabilities have been identified In Jackson Databind library shipped with IBM Global Mailbox (CVE-2019-14892, CVE-2019-14893)\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2019-14892](<https://vulners.com/cve/CVE-2019-14892>) \n** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization when using commons-configuration 1 and 2 JNDI classes. By sending specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/177106](<https://exchange.xforce.ibmcloud.com/vulnerabilities/177106>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2019-14893](<https://vulners.com/cve/CVE-2019-14893>) \n** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization when using the xalan JNDI gadget. By sending specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/177108](<https://exchange.xforce.ibmcloud.com/vulnerabilities/177108>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM Global High Availability Mailbox| 6.0.2 \n \n\n\n## Remediation/Fixes\n\nRefer to the following security bulletins for vulnerability details and information about fixes addressed by Jackson Databind library which is/are shipped with Global Mailbox. \n\nPrincipal Product and Version(s)\n\n| \n\nAffected Supporting Product and Version\n\n| \n\nAffected Supporting Product Security Bulletin \n \n---|---|--- \n \nGlobal Mailbox version 6.0.3.2\n\n| \n\nJackson Databind Library version 2.10.2\n\n| \n\n[CVE-2019-14892](<https://vulners.com/cve/CVE-2019-14892>)\n\n[CVE-2019-14893](<https://vulners.com/cve/CVE-2019-14893>) \n \n** **\n\n** **\n\nVersion 6.0.3.2 is now available on Fix Central.\n\n**IM images**\n\nSterling B2B Integrator\n\n[http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FOther+software%2FSterling+B2B+Integrator&fixids=6.0.3.2-OtherSoftware-B2Bi-All&source=SAR](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FOther+software%2FSterling+B2B+Integrator&fixids=6.0.3.2-OtherSoftware-B2Bi-All&source=SAR>)\n\nSterling File Gateway\n\n[http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FOther+software%2FSterling+File+Gateway&fixids=6.0.3.2-OtherSoftware-SFG-All&source=SAR](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FOther+software%2FSterling+File+Gateway&fixids=6.0.3.2-OtherSoftware-SFG-All&source=SAR>)\n\n**Docker Images**\n\nSterling B2B Integrator\n\n[http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FOther+software%2FSterling+B2B+Integrator&fixids=6.0.3.2-OtherSoftware-B2Bi-Docker-All&source=SAR](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FOther+software%2FSterling+B2B+Integrator&fixids=6.0.3.2-OtherSoftware-B2Bi-Docker-All&source=SAR>)\n\nSterling File Gateway\n\n[http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FOther+software%2FSterling+File+Gateway&fixids=6.0.3.2-OtherSoftware-SFG-Docker-All&source=SAR](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FOther+software%2FSterling+File+Gateway&fixids=6.0.3.2-OtherSoftware-SFG-Docker-All&source=SAR>)\n\n** **\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-07-24T17:07:55", "type": "ibm", "title": "Security Bulletin: Multiple security vulnerabilities have been identified In Jackson Databind library shipped with IBM Global Mailbox (CVE-2019-14892, CVE-2019-14893)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-14892", "CVE-2019-14893"], "modified": "2020-07-24T17:07:55", "id": "005BEBF506CCF33E4F5413948FD5D525CD71253A26E30C58CD0892DC694DCDEB", "href": "https://www.ibm.com/support/pages/node/6221228", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-24T01:39:25", "description": "## Summary\n\nIBM Watson Discovery for IBM Cloud Pak for Data ships with versions of FasterXML jackson-databind vulnerable to serialization gadgets.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2019-16943](<https://vulners.com/cve/CVE-2019-16943>) \n** DESCRIPTION: **A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the p6spy (3.8.6) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of com.p6spy.engine.spy.P6DataSource mishandling. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/168255](<https://exchange.xforce.ibmcloud.com/vulnerabilities/168255>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n \n** CVEID: **[CVE-2019-16942](<https://vulners.com/cve/CVE-2019-16942>) \n** DESCRIPTION: **A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the commons-dbcp (1.4) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of org.apache.commons.dbcp.datasources.SharedPoolDataSource and org.apache.commons.dbcp.datasources.PerUserPoolDataSource mishandling. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/168254](<https://exchange.xforce.ibmcloud.com/vulnerabilities/168254>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nICP - Discovery| 2.0.0-2.0.1 \n \n\n\n## Remediation/Fixes\n\nUpgrade to IBM Watson Discovery 2.1\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-12-20T08:47:33", "type": "ibm", "title": "Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in FasterXML jackson-databind", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-16942", "CVE-2019-16943"], "modified": "2019-12-20T08:47:33", "id": "ADF0635C8C226573B68B90CCCD3BBEE5D58D01FA40BFFCEB1F024C6F94610012", "href": "https://www.ibm.com/support/pages/node/1126365", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-24T05:45:07", "description": "## Summary\n\nIBM Network Performance Insight has addressed the applicable CVE.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2019-16335](<https://vulners.com/cve/CVE-2019-16335>) \n** DESCRIPTION: **A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariDataSource. This is a different vulnerability than CVE-2019-14540. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/167205](<https://exchange.xforce.ibmcloud.com/vulnerabilities/167205>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM Network Performance Insight| 1.3 \nIBM Network Performance Insight| 1.3.1 \n \n\n\n## Remediation/Fixes\n\nThis interim fix, 1.3.0.0-TIV-NPI-IF0006, has been released to IBM fix Central. Here is the link:\n\n[http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FTivoli%2FNetwork+Performance+Insight&fixids=1.3.0.0-TIV-NPI-IF0006&source=SAR](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FTivoli%2FNetwork+Performance+Insight&fixids=1.3.0.0-TIV-NPI-IF0006&source=SAR>)\n\nThis interim fix, 1.3.1.0-TIV-NPI-IF0002, has been released to IBM fix Central. Here is the link:\n\n[http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FTivoli%2FNetwork+Performance+Insight&fixids=1.3.1.0-TIV-NPI-IF0002&source=SAR](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FTivoli%2FNetwork+Performance+Insight&fixids=1.3.1.0-TIV-NPI-IF0002&source=SAR>)\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-02-13T03:08:33", "type": "ibm", "title": "Security Bulletin: Vulnerability affecting IBM Network Performance Insight (CVE-2019-16335)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-14540", "CVE-2019-16335"], "modified": "2020-02-13T03:08:33", "id": "9789CEECC4EAE227807072B0D67DFDE94D1DD1B27DF1CA3800BB5E560EEA2FD9", "href": "https://www.ibm.com/support/pages/node/2403651", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-24T01:39:25", "description": "## Summary\n\nIBM Watson Discovery for IBM Cloud Pak for Data is shipped with versions of FasterXML jackson-databind vulnerable to serialization gadgets.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2019-16335](<https://vulners.com/cve/CVE-2019-16335>) \n** DESCRIPTION: **A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariDataSource. This is a different vulnerability than CVE-2019-14540. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/167205](<https://exchange.xforce.ibmcloud.com/vulnerabilities/167205>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nICP - Discovery| 1.0.0-2.0.1 \n \n\n\n## Remediation/Fixes\n\nUpgrade to IBM Watson Discovery 2.1\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-12-20T08:47:33", "type": "ibm", "title": "Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in FasterXML jackson-databind", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-14540", "CVE-2019-16335"], "modified": "2019-12-20T08:47:33", "id": "03FE2232223502F02C580E374AD84A4FA45BE8EED10FB86E986C5EE051FC791B", "href": "https://www.ibm.com/support/pages/node/1126401", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-27T21:53:21", "description": "## Summary\n\nIBM Sterling B2B Integrator has addressed multiple security vulnerabilities in jackson-databind\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2019-17267](<https://vulners.com/cve/CVE-2019-17267>) \n** DESCRIPTION: **FasterXML jackson-databind could provide weaker than expected security, caused by a polymorphic typing issue in the net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup. A remote attacker could exploit this vulnerability to launch further attacks on the system. \nCVSS Base score: 7.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/168514](<https://exchange.xforce.ibmcloud.com/vulnerabilities/168514>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) \n \n** CVEID: **[CVE-2019-16943](<https://vulners.com/cve/CVE-2019-16943>) \n** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by a polymorphic typing issue in the p6spy class. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/168255](<https://exchange.xforce.ibmcloud.com/vulnerabilities/168255>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2018-14718](<https://vulners.com/cve/CVE-2018-14718>) \n** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by the failure to block the slf4j-ext class from polymorphic deserialization. An attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/155139](<https://exchange.xforce.ibmcloud.com/vulnerabilities/155139>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2019-16335](<https://vulners.com/cve/CVE-2019-16335>) \n** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to obtain sensitive information, caused by a polymorphic typing issue in com.zaxxer.hikari.HikariDataSource. A remote attacker could exploit this vulnerability to obtain sensitive information. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/167205](<https://exchange.xforce.ibmcloud.com/vulnerabilities/167205>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) \n \n** CVEID: **[CVE-2019-17531](<https://vulners.com/cve/CVE-2019-17531>) \n** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by a polymorphic typing issue when Default Typing is enabled. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/169073](<https://exchange.xforce.ibmcloud.com/vulnerabilities/169073>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2018-14719](<https://vulners.com/cve/CVE-2018-14719>) \n** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by the failure to block the blaze-ds-opt and blaze-ds-core classes from polymorphic deserialization. An attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/155138](<https://exchange.xforce.ibmcloud.com/vulnerabilities/155138>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2018-19360](<https://vulners.com/cve/CVE-2018-19360>) \n** DESCRIPTION: **An unspecified error with failure to block the axis2-transport-jms class from polymorphic deserialization in FasterXML jackson-databind has an unknown impact and attack vector. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/155091](<https://exchange.xforce.ibmcloud.com/vulnerabilities/155091>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) \n \n** CVEID: **[CVE-2019-16942](<https://vulners.com/cve/CVE-2019-16942>) \n** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by a polymorphic typing issue in the commons-dbcp class. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/168254](<https://exchange.xforce.ibmcloud.com/vulnerabilities/168254>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2019-14540](<https://vulners.com/cve/CVE-2019-14540>) \n** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to obtain sensitive information, caused by a polymorphic typing issue in com.zaxxer.hikari.HikariConfig. A remote attacker could exploit this vulnerability to obtain sensitive information. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/167354](<https://exchange.xforce.ibmcloud.com/vulnerabilities/167354>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) \n \n** CVEID: **[CVE-2018-14721](<https://vulners.com/cve/CVE-2018-14721>) \n** DESCRIPTION: **FasterXML jackson-databind is vulnerable to server-side request forgery, caused by the failure to block the axis2-jaxws class from polymorphic deserialization. A remote authenticated attacker could exploit this vulnerability to obtain sensitive data. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/155136](<https://exchange.xforce.ibmcloud.com/vulnerabilities/155136>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) \n \n** CVEID: **[CVE-2018-19361](<https://vulners.com/cve/CVE-2018-19361>) \n** DESCRIPTION: **An unspecified error with failure to block the openjpa class from polymorphic deserialization in FasterXML jackson-databind has an unknown impact and attack vector. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/155092](<https://exchange.xforce.ibmcloud.com/vulnerabilities/155092>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) \n \n** CVEID: **[CVE-2018-14720](<https://vulners.com/cve/CVE-2018-14720>) \n** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to obtain sensitive information, caused by an XML external entity (XXE) error when processing XML data by JDK classes. By sending a specially-crafted XML data. A remote attacker could exploit this vulnerability to obtain sensitive information. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/155137](<https://exchange.xforce.ibmcloud.com/vulnerabilities/155137>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) \n \n** CVEID: **[CVE-2018-11307](<https://vulners.com/cve/CVE-2018-11307>) \n** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to obtain sensitive information, caused by an issue when untrusted content is deserialized with default typing enabled. By sending specially-crafted content over FTP, an attacker could exploit this vulnerability to obtain sensitive information. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/163528](<https://exchange.xforce.ibmcloud.com/vulnerabilities/163528>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) \n \n** CVEID: **[CVE-2018-19362](<https://vulners.com/cve/CVE-2018-19362>) \n** DESCRIPTION: **An unspecified error with failure to block the jboss-common-core class from polymorphic deserialization in FasterXML jackson-databind has an unknown impact and attack vector. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/155093](<https://exchange.xforce.ibmcloud.com/vulnerabilities/155093>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) \n \n** CVEID: **[CVE-2019-14379](<https://vulners.com/cve/CVE-2019-14379>) \n** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by a flaw in the SubTypeValidator.java. An attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/165286](<https://exchange.xforce.ibmcloud.com/vulnerabilities/165286>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM Sterling B2B Integrator| 6.0.0.0 - 6.0.3.1 \nIBM Sterling B2B Integrator| 5.2.0.0 - 5.2.6.5_1 \n \n\n\n## Remediation/Fixes\n\n** Product & Version**| ** Remediation & Fix** \n---|--- \n5.2.0.0 - 6.2.6.5_1| Apply IBM Sterling B2B Integrator version 5.2.6.5_2 and 6.0.3.2 on [Fix Central](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Other%2Bsoftware&product=ibm/Other+software/Sterling+B2B+Integrator&release=All&platform=All&function=all>) \n6.0.0.0 - 6.0.3.1| Apply IBM Sterling B2B Integrator version 6.0.3.2 on [Fix Central](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Other%2Bsoftware&product=ibm/Other+software/Sterling+B2B+Integrator&release=All&platform=All&function=all>) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-07-24T17:07:55", "type": "ibm", "title": "Security Bulletin: Multiple Security Vulnerabilities in Jackson-databind Affect IBM Sterling B2B Integrator", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-11307", "CVE-2018-14718", "CVE-2018-14719", "CVE-2018-14720", "CVE-2018-14721", "CVE-2018-19360", "CVE-2018-19361", "CVE-2018-19362", "CVE-2019-14379", "CVE-2019-14540", "CVE-2019-16335", "CVE-2019-16942", "CVE-2019-16943", "CVE-2019-17267", "CVE-2019-17531"], "modified": "2020-07-24T17:07:55", "id": "E51DDF73E3F5CD96B12560329D18889F698C09D96494E43FCCF428FEC32A1F2E", "href": "https://www.ibm.com/support/pages/node/6209691", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-27T21:52:06", "description": "## Summary\n\nFaster-XML Jackson Databind is used by IBM Operations Analytics Predictive Insights. IBM Operations Analytics Predictive Insights has addressed the applicable CVEs. Note that the usage of Jackson Databind within IBM Operations Analytics Predictive Insights is limited to the REST Mediation utility. If you do not have this utility installed you are not affected by this bulletin, otherwise apply the recommended remediation fixes.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2019-14893](<https://vulners.com/cve/CVE-2019-14893>) \n** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization when using the xalan JNDI gadget. By sending specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/177108](<https://exchange.xforce.ibmcloud.com/vulnerabilities/177108>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2019-14892](<https://vulners.com/cve/CVE-2019-14892>) \n** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization when using commons-configuration 1 and 2 JNDI classes. By sending specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/177106](<https://exchange.xforce.ibmcloud.com/vulnerabilities/177106>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM Operations Analytics Predictive Insights| 1.3.6 \n \n\n\n## Remediation/Fixes\n\nApply 1.3.6 Interim Fix 2 or later \n\n[https://www-945.ibm.com/support/fixcentral/swg/selectFixes?product=ibm/Tivoli/IBM+SmartCloud+Analytics+-+Predictive+Insights&release=1.3.6](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?product=ibm/Tivoli/IBM+SmartCloud+Analytics+-+Predictive+Insights&release=1.3.6> \"https://www-945.ibm.com/support/fixcentral/swg/selectFixes?product=ibm/Tivoli/IBM+SmartCloud+Analytics+-+Predictive+Insights&release=1.3.6\" )\n\n \n \n\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-08-12T15:02:05", "type": "ibm", "title": "Security Bulletin: A vulnerability in Faster-XML jackson databind affects IBM Operations Analytics Predictive Insights (CVE-2019-144892, CVE-2019-144893)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-144892", "CVE-2019-144893", "CVE-2019-14892", "CVE-2019-14893"], "modified": "2020-08-12T15:02:05", "id": "FDEE9E01E031FC60EEE159972E198CED45F49D69002CB877DA62B3D2C1C0494A", "href": "https://www.ibm.com/support/pages/node/6258281", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-27T21:54:15", "description": "## Summary\n\nIBM Data Risk Manager has addressed the following vulnerabilities:\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2019-10172](<https://vulners.com/cve/CVE-2019-10172>) \n** DESCRIPTION: **Jackson-mapper-asl could allow a remote attacker to obtain sensitive information, caused by an XML external entity (XXE) error when processing XML data. By sending a specially-crafted XML data, a remote attacker could exploit this vulnerability to obtain sensitive information. \nCVSS Base score: 5.9 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/172436](<https://exchange.xforce.ibmcloud.com/vulnerabilities/172436>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N) \n \n** CVEID: **[CVE-2020-5398](<https://vulners.com/cve/CVE-2020-5398>) \n** DESCRIPTION: **Spring Framework could allow a remote attacker to obtain sensitive information, caused by a flaw when it sets a Content-Disposition header in the response. By using a reflected file download (RFD) attack, a remote attacker could exploit this vulnerability to obtain sensitive information. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/174711](<https://exchange.xforce.ibmcloud.com/vulnerabilities/174711>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) \n \n** CVEID: **[CVE-2020-9548](<https://vulners.com/cve/CVE-2020-9548>) \n** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by the mishandling of interaction between serialization gadgets and typing in br.com.anteros.dbcp.AnterosDBCPConfig (aka anteros-core). By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/177104](<https://exchange.xforce.ibmcloud.com/vulnerabilities/177104>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2020-9546](<https://vulners.com/cve/CVE-2020-9546>) \n** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by the mishandling of interaction between serialization gadgets and typing in org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig (aka shaded hikari-config). By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/177102](<https://exchange.xforce.ibmcloud.com/vulnerabilities/177102>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2020-9547](<https://vulners.com/cve/CVE-2020-9547>) \n** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by the mishandling of interaction between serialization gadgets and typing in com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig (aka ibatis-sqlmap). By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/177103](<https://exchange.xforce.ibmcloud.com/vulnerabilities/177103>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2019-17267](<https://vulners.com/cve/CVE-2019-17267>) \n** DESCRIPTION: **FasterXML jackson-databind could provide weaker than expected security, caused by a polymorphic typing issue in the net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup. A remote attacker could exploit this vulnerability to launch further attacks on the system. \nCVSS Base score: 7.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/168514](<https://exchange.xforce.ibmcloud.com/vulnerabilities/168514>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) \n \n** CVEID: **[CVE-2019-20330](<https://vulners.com/cve/CVE-2019-20330>) \n** DESCRIPTION: **A lacking of certain net.sf.ehcache blocking in FasterXML jackson-databind has an unknown impact and attack vector. \nCVSS Base score: 7.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/173897](<https://exchange.xforce.ibmcloud.com/vulnerabilities/173897>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) \n \n** CVEID: **[CVE-2019-16942](<https://vulners.com/cve/CVE-2019-16942>) \n** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by a polymorphic typing issue in the commons-dbcp class. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/168254](<https://exchange.xforce.ibmcloud.com/vulnerabilities/168254>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2019-16943](<https://vulners.com/cve/CVE-2019-16943>) \n** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by a polymorphic typing issue in the p6spy class. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/168255](<https://exchange.xforce.ibmcloud.com/vulnerabilities/168255>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2019-14863](<https://vulners.com/cve/CVE-2019-14863>) \n** DESCRIPTION: **Angular.js is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/173893](<https://exchange.xforce.ibmcloud.com/vulnerabilities/173893>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2020-5405](<https://vulners.com/cve/CVE-2020-5405>) \n** DESCRIPTION: **Pivotal Spring Cloud Config could allow a remote attacker to traverse directories on the system, caused by improper validation of user request. An attacker could send a specially-crafted URL request containing \"dot dot\" sequences (/../) to view arbitrary files on the system. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/177321](<https://exchange.xforce.ibmcloud.com/vulnerabilities/177321>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) \n \n** CVEID: **[CVE-2020-5397](<https://vulners.com/cve/CVE-2020-5397>) \n** DESCRIPTION: **Spring Framework is vulnerable to cross-site request forgery, caused by improper validation of user-supplied input. By persuading an authenticated user to visit a malicious Web site, a remote attacker could send a malformed HTTP request to perform unauthorized actions. An attacker could exploit this vulnerability to perform cross-site scripting attacks, Web cache poisoning, and other malicious activities. \nCVSS Base score: 8.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/174863](<https://exchange.xforce.ibmcloud.com/vulnerabilities/174863>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2020-8840](<https://vulners.com/cve/CVE-2020-8840>) \n** DESCRIPTION: **An unspecified error with the lack of certain xbean-reflect/JNDI blocking in FasterXML jackson-databind has an unknown impact and attack vector. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/176241](<https://exchange.xforce.ibmcloud.com/vulnerabilities/176241>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) \n \n** CVEID: **[CVE-2019-10219](<https://vulners.com/cve/CVE-2019-10219>) \n** DESCRIPTION: **Hibernate-Validator is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the SafeHtml validator annotation A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/171317](<https://exchange.xforce.ibmcloud.com/vulnerabilities/171317>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2019-16335](<https://vulners.com/cve/CVE-2019-16335>) \n** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to obtain sensitive information, caused by a polymorphic typing issue in com.zaxxer.hikari.HikariDataSource. A remote attacker could exploit this vulnerability to obtain sensitive information. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/167205](<https://exchange.xforce.ibmcloud.com/vulnerabilities/167205>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) \n \n** CVEID: **[CVE-2019-14540](<https://vulners.com/cve/CVE-2019-14540>) \n** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to obtain sensitive information, caused by a polymorphic typing issue in com.zaxxer.hikari.HikariConfig. A remote attacker could exploit this vulnerability to obtain sensitive information. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/167354](<https://exchange.xforce.ibmcloud.com/vulnerabilities/167354>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) \n \n** CVEID: **[CVE-2019-14898](<https://vulners.com/cve/CVE-2019-14898>) \n** DESCRIPTION: **Linux Kernel is vulnerable to a denial of service, caused by a race condition in between mmget_not_zero()/get_task_mm() and core dumping. By using a specially-crafted system call, a local authenticated attacker could exploit this vulnerability to cause the system to crash or obtain sensitive information. \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/175727](<https://exchange.xforce.ibmcloud.com/vulnerabilities/175727>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H) \n \n** CVEID: **[CVE-2019-17531](<https://vulners.com/cve/CVE-2019-17531>) \n** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by a polymorphic typing issue when Default Typing is enabled. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/169073](<https://exchange.xforce.ibmcloud.com/vulnerabilities/169073>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM Data Risk Manager| 2.0.6 \nIBM Data Risk Manager| 2.0.6.1 \nIBM Data Risk Manager| 2.0.6.2 \n \n\n\n## Remediation/Fixes\n\nTo obtain fixes for all reported issues, customers are advised first to upgrade to v2.0.6.2, and then apply the latest fixpacks (2.0.6.3 and then 2.0.6.4. None of them is cumulative - it must be applied on top of 2.0.6.2 in sequence). \n\n_Product_| _VRMF_| _APAR \n_| _Remediation / First Fix_ \n---|---|---|--- \nIBM Data Risk Manager| 2.0.6| \n\n-\n\n| \n\n1) Apply [IDRM_2.0.6.1_Fixpack ](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.4.1&platform=Linux&function=all>)\n\n2) Apply [DRM_2.0.6.2_Fixpack ](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.1&platform=Linux&function=all>)\n\n3) Apply [DRM_2.0.6.3_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.2&platform=Linux&function=all>)\n\n4) Apply [DRM_2.0.6.4_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.3&platform=Linux&function=all> \"DRM_2.0.6.4_FixPack\" ) \n \nIBM Data Risk Manager| 2.0.6.1| \n\n-\n\n| \n\n1) Apply [DRM_2.0.6.2_Fixpack ](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.1&platform=Linux&function=all>)\n\n2) Apply [DRM_2.0.6.3_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.2&platform=Linux&function=all>)\n\n3) Apply [DRM_2.0.6.4_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.3&platform=Linux&function=all> \"DRM_2.0.6.4_FixPack\" ) \n \nIBM Data Risk Manager| 2.0.6.2| \n\n-\n\n| \n\n1) Apply [DRM_2.0.6.3_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.2&platform=Linux&function=all>)\n\n2) Apply [DRM_2.0.6.4_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.3&platform=Linux&function=all> \"DRM_2.0.6.4_FixPack\" ) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-07-02T19:10:46", "type": "ibm", "title": "Security Bulletin: IBM Data Risk Manager is affected by multiple vulnerabilities", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.6, "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10172", "CVE-2019-10219", "CVE-2019-14540", "CVE-2019-14863", "CVE-2019-14898", "CVE-2019-16335", "CVE-2019-16942", "CVE-2019-16943", "CVE-2019-17267", "CVE-2019-17531", "CVE-2019-20330", "CVE-2020-5397", "CVE-2020-5398", "CVE-2020-5405", "CVE-2020-8840", "CVE-2020-9546", "CVE-2020-9547", "CVE-2020-9548"], "modified": "2020-07-02T19:10:46", "id": "CEFB2CDD169330DA5EC688A529952C2E9694D94C3E8E4A50C9011E9A9F7FD71F", "href": "https://www.ibm.com/support/pages/node/6243446", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-27T21:55:16", "description": "## Summary\n\nIBM has announced a release for IBM Security Identity Governance and Intelligence (IGI) in response to security vulnerabilities. Jackson-databind-2.8.11.2 library has known vulnerabilities in IBM Identity Governance and Intelligence.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2018-1000873](<https://vulners.com/cve/CVE-2018-1000873>) \n** DESCRIPTION: **FasterXML jackson-databind is vulnerable to a denial of service, caused by improper input validation by the nanoseconds time value field. By persuading a victim to deserialize specially-crafted input, a remote attacker could exploit this vulnerability to cause the application to crash. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/154804](<https://exchange.xforce.ibmcloud.com/vulnerabilities/154804>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2018-14718](<https://vulners.com/cve/CVE-2018-14718>) \n** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by the failure to block the slf4j-ext class from polymorphic deserialization. An attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/155139](<https://exchange.xforce.ibmcloud.com/vulnerabilities/155139>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2018-14719](<https://vulners.com/cve/CVE-2018-14719>) \n** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by the failure to block the blaze-ds-opt and blaze-ds-core classes from polymorphic deserialization. An attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/155138](<https://exchange.xforce.ibmcloud.com/vulnerabilities/155138>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2018-14720](<https://vulners.com/cve/CVE-2018-14720>) \n** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to obtain sensitive information, caused by an XML external entity (XXE) error when processing XML data by JDK classes. By sending a specially-crafted XML data. A remote attacker could exploit this vulnerability to obtain sensitive information. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/155137](<https://exchange.xforce.ibmcloud.com/vulnerabilities/155137>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) \n \n** CVEID: **[CVE-2018-14721](<https://vulners.com/cve/CVE-2018-14721>) \n** DESCRIPTION: **FasterXML jackson-databind is vulnerable to server-side request forgery, caused by the failure to block the axis2-jaxws class from polymorphic deserialization. A remote authenticated attacker could exploit this vulnerability to obtain sensitive data. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/155136](<https://exchange.xforce.ibmcloud.com/vulnerabilities/155136>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) \n \n** CVEID: **[CVE-2018-19360](<https://vulners.com/cve/CVE-2018-19360>) \n** DESCRIPTION: **An unspecified error with failure to block the axis2-transport-jms class from polymorphic deserialization in FasterXML jackson-databind has an unknown impact and attack vector. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/155091](<https://exchange.xforce.ibmcloud.com/vulnerabilities/155091>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) \n \n** CVEID: **[CVE-2018-19361](<https://vulners.com/cve/CVE-2018-19361>) \n** DESCRIPTION: **An unspecified error with failure to block the openjpa class from polymorphic deserialization in FasterXML jackson-databind has an unknown impact and attack vector. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/155092](<https://exchange.xforce.ibmcloud.com/vulnerabilities/155092>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) \n \n** CVEID: **[CVE-2018-19362](<https://vulners.com/cve/CVE-2018-19362>) \n** DESCRIPTION: **An unspecified error with failure to block the jboss-common-core class from polymorphic deserialization in FasterXML jackson-databind has an unknown impact and attack vector. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/155093](<https://exchange.xforce.ibmcloud.com/vulnerabilities/155093>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) \n \n** CVEID: **[CVE-2019-12086](<https://vulners.com/cve/CVE-2019-12086>) \n** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to obtain sensitive information, caused by a Polymorphic Typing issue that occurs due to missing com.mysql.cj.jdbc.admin.MiniAdmin validation. By sending a specially-crafted JSON message, a remote attacker could exploit this vulnerability to read arbitrary local files on the server. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/161256](<https://exchange.xforce.ibmcloud.com/vulnerabilities/161256>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) \n \n** CVEID: **[CVE-2019-12384](<https://vulners.com/cve/CVE-2019-12384>) \n** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by the failure to block the logback-core class from polymorphic deserialization. By sending a specially-crafted JSON message, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/162849](<https://exchange.xforce.ibmcloud.com/vulnerabilities/162849>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2019-12814](<https://vulners.com/cve/CVE-2019-12814>) \n** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to obtain sensitive information, caused by a polymorphic typing issue. By sending a specially-crafted JSON message, an attacker could exploit this vulnerability to read arbitrary local files on the server. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/162875](<https://exchange.xforce.ibmcloud.com/vulnerabilities/162875>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) \n \n** CVEID: **[CVE-2019-14379](<https://vulners.com/cve/CVE-2019-14379>) \n** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by a flaw in the SubTypeValidator.java. An attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/165286](<https://exchange.xforce.ibmcloud.com/vulnerabilities/165286>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2019-14439](<https://vulners.com/cve/CVE-2019-14439>) \n** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to obtain sensitive information, caused by a polymorphic typing issue when Default Typing is enabled. A remote attacker could exploit this vulnerability to obtain sensitive information. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/164744](<https://exchange.xforce.ibmcloud.com/vulnerabilities/164744>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) \n \n** CVEID: **[CVE-2019-14540](<https://vulners.com/cve/CVE-2019-14540>) \n** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to obtain sensitive information, caused by a polymorphic typing issue in com.zaxxer.hikari.HikariConfig. A remote attacker could exploit this vulnerability to obtain sensitive information. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/167354](<https://exchange.xforce.ibmcloud.com/vulnerabilities/167354>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) \n \n** CVEID: **[CVE-2019-16335](<https://vulners.com/cve/CVE-2019-16335>) \n** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to obtain sensitive information, caused by a polymorphic typing issue in com.zaxxer.hikari.HikariDataSource. A remote attacker could exploit this vulnerability to obtain sensitive information. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/167205](<https://exchange.xforce.ibmcloud.com/vulnerabilities/167205>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) \n \n** CVEID: **[CVE-2019-16942](<https://vulners.com/cve/CVE-2019-16942>) \n** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by a polymorphic typing issue in the commons-dbcp class. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/168254](<https://exchange.xforce.ibmcloud.com/vulnerabilities/168254>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2019-16943](<https://vulners.com/cve/CVE-2019-16943>) \n** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by a polymorphic typing issue in the p6spy class. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/168255](<https://exchange.xforce.ibmcloud.com/vulnerabilities/168255>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2019-17267](<https://vulners.com/cve/CVE-2019-17267>) \n** DESCRIPTION: **FasterXML jackson-databind could provide weaker than expected security, caused by a polymorphic typing issue in the net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup. A remote attacker could exploit this vulnerability to launch further attacks on the system. \nCVSS Base score: 7.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/168514](<https://exchange.xforce.ibmcloud.com/vulnerabilities/168514>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) \n \n** CVEID: **[CVE-2019-17531](<https://vulners.com/cve/CVE-2019-17531>) \n** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by a polymorphic typing issue when Default Typing is enabled. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/169073](<https://exchange.xforce.ibmcloud.com/vulnerabilities/169073>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM Security Identity Governance and Intelligence| 5.2.6 \n \n\n\n## Remediation/Fixes\n\nAffected Product(s)\n\n| \n\nVersion(s)\n\n| \n\nFirst Fix \n \n---|---|--- \n \nIBM Security Identity Governance and Intelligence\n\n| \n\n5.2.6\n\n| \n\n[5.2.6.0-ISS-SIGI-FP0001](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Tivoli/IBM+Security+Identity+Governance&release=5.2.6.0&platform=All&function=all> \"5.2.6.0-ISS-SIGI-FP0001\" ) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-05-29T15:44:58", "type": "ibm", "title": "Security Bulletin: IBM has announced a release for IBM Security Identity Governance and Intelligence in response to security vulnerabilities", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-1000873", "CVE-2018-14718", "CVE-2018-14719", "CVE-2018-14720", "CVE-2018-14721", "CVE-2018-19360", "CVE-2018-19361", "CVE-2018-19362", "CVE-2019-12086", "CVE-2019-12384", "CVE-2019-12814", "CVE-2019-14379", "CVE-2019-14439", "CVE-2019-14540", "CVE-2019-16335", "CVE-2019-16942", "CVE-2019-16943", "CVE-2019-17267", "CVE-2019-17531"], "modified": "2020-05-29T15:44:58", "id": "C034F4A93C7986F86B5276634B82B774DA1796B9A2CC2371DA4859670D82233E", "href": "https://www.ibm.com/support/pages/node/6217807", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-24T05:45:07", "description": "## Summary\n\nIBM Network Performance Insight has addressed the applicable CVEs.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2019-14379](<https://vulners.com/cve/CVE-2019-14379>) \n** DESCRIPTION: **SubTypeValidator.java in FasterXML jackson-databind before 2.9.9.2 mishandles default typing when ehcache is used (because of net.sf.ehcache.transaction.manager.DefaultTransactionManagerLookup), leading to remote code execution. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/165286](<https://exchange.xforce.ibmcloud.com/vulnerabilities/165286>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n \n** CVEID: **[CVE-2019-17531](<https://vulners.com/cve/CVE-2019-17531>) \n** DESCRIPTION: **A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the apache-log4j-extra (version 1.2.x) jar in the classpath, and an attacker can provide a JNDI service to access, it is possible to make the service execute a malicious payload. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/169073](<https://exchange.xforce.ibmcloud.com/vulnerabilities/169073>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n \n** CVEID: **[CVE-2019-14439](<https://vulners.com/cve/CVE-2019-14439>) \n** DESCRIPTION: **A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9.2. This occurs when Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the logback jar in the classpath. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/164744](<https://exchange.xforce.ibmcloud.com/vulnerabilities/164744>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n \n** CVEID: **[CVE-2019-14540](<https://vulners.com/cve/CVE-2019-14540>) \n** DESCRIPTION: **A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariConfig. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/167354](<https://exchange.xforce.ibmcloud.com/vulnerabilities/167354>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) \n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM Network Performance Insight| 1.3 \nIBM Network Performance Insight| 1.3.1 \n \n\n\n## Remediation/Fixes\n\nThis interim fix, 1.3.0.0-TIV-NPI-IF0006, has been released to IBM fix Central. Here is the link:\n\n[http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FTivoli%2FNetwork+Performance+Insight&fixids=1.3.0.0-TIV-NPI-IF0006&source=SAR](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FTivoli%2FNetwork+Performance+Insight&fixids=1.3.0.0-TIV-NPI-IF0006&source=SAR>)\n\nThis interim fix, 1.3.1.0-TIV-NPI-IF0002, has been released to IBM fix Central. Here is the link:\n\n[http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FTivoli%2FNetwork+Performance+Insight&fixids=1.3.1.0-TIV-NPI-IF0002&source=SAR](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FTivoli%2FNetwork+Performance+Insight&fixids=1.3.1.0-TIV-NPI-IF0002&source=SAR>)\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-02-13T03:02:33", "type": "ibm", "title": "Security Bulletin: Vulnerabilities affect IBM Network Performance Insight (CVE-2019-14379, CVE-2019-17531, CVE-2019-14439 and CVE-2019-14540)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-14379", "CVE-2019-14439", "CVE-2019-14540", "CVE-2019-17531"], "modified": "2020-02-13T03:02:33", "id": "4F9B97366DEEBEF2DEE9D041B3982BB1DF67BB173569B8AD40A84B319E78729B", "href": "https://www.ibm.com/support/pages/node/2403639", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-23T21:42:19", "description": "## Summary\n\nIBM Event Streams has addressed the following vulnerabilities in the jackson-databind versions shipped.\n\n## Vulnerability Details\n\n**CVEID:** [CVE-2019-12814](<https://vulners.com/cve/CVE-2019-12814>) \n**DESCRIPTION:** FasterXML jackson-databind could allow a remote attacker to obtain sensitive information, caused by a polymorphic typing issue. By sending a specially-crafted JSON message, an attacker could exploit this vulnerability to read arbitrary local files on the server. \nCVSS Base Score: 7.5 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/162875> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n**CVEID:** [CVE-2019-14439](<https://vulners.com/cve/CVE-2019-14439>) \n**DESCRIPTION:** FasterXML jackson-databind could allow a remote attacker to obtain sensitive information, caused by a polymorphic typing issue when Default Typing is enabled. A remote attacker could exploit this vulnerability to obtain sensitive information. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/164744> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n**CVEID:** [CVE-2019-14540](<https://vulners.com/cve/CVE-2019-14540>) \n**DESCRIPTION:** FasterXML jackson-databind could allow a remote attacker to obtain sensitive information, caused by a polymorphic typing issue in com.zaxxer.hikari.HikariConfig. A remote attacker could exploit this vulnerability to obtain sensitive information. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/167354> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n**CVEID:** [CVE-2019-16335](<https://vulners.com/cve/CVE-2019-16335>) \n**DESCRIPTION:** FasterXML jackson-databind could allow a remote attacker to obtain sensitive information, caused by a polymorphic typing issue in com.zaxxer.hikari.HikariDataSource. A remote attacker could exploit this vulnerability to obtain sensitive information. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/167205> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n## Affected Products and Versions\n\nIBM Event Streams 2019.2.1 or earlier\n\n## Remediation/Fixes\n\n\u21b5\n\nUpgrade to IBM Event Streams 2019.4.1 which is available from [Passport Advantage](<https://www.ibm.com/software/passportadvantage/>).\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-10-21T16:12:00", "type": "ibm", "title": "Security Bulletin: IBM Event Streams is affected by jackson-databind vulnerabilities", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-12814", "CVE-2019-14439", "CVE-2019-14540", "CVE-2019-16335"], "modified": "2019-10-21T16:12:00", "id": "872A188EC4E2613A4C8DAA4C113C491ED5226F5BC56BB46BEC54BB14EB8DB940", "href": "https://www.ibm.com/support/pages/node/1079409", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-24T01:39:31", "description": "## Summary\n\nMultiple vulnerabilities exist in the Jackson databind, core, and annotations version used by IBM Spectrum Symphony V7.2.1, V7.2.0.2, and V7.1.2, and IBM Platform Symphony V7.1.1 and V7.1 Fix Pack 1. Interim fixes that provide instructions on upgrading the Jackson databind, core, and annotations package to version 2.9.10 (which resolves these vulnerabilities) are available on IBM Fix Central. \n\n## Vulnerability Details\n\n**CVEID: **[CVE-2019-16335](<https://vulners.com/cve/CVE-2019-16335>) \n**DESCRIPTION: **A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariDataSource. This is a different vulnerability than CVE-2019-14540. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/167205](<https://exchange.xforce.ibmcloud.com/vulnerabilities/167205>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n**CVEID: **[CVE-2019-14379](<https://vulners.com/cve/CVE-2019-14379>) \n**DESCRIPTION: **SubTypeValidator.java in FasterXML jackson-databind before 2.9.9.2 mishandles default typing when ehcache is used (because of net.sf.ehcache.transaction.manager.DefaultTransactionManagerLookup), leading to remote code execution. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/165286](<https://exchange.xforce.ibmcloud.com/vulnerabilities/165286>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n**CVEID: **[CVE-2019-14439](<https://vulners.com/cve/CVE-2019-14439>) \n**DESCRIPTION: **A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9.2. This occurs when Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the logback jar in the classpath. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/164744](<https://exchange.xforce.ibmcloud.com/vulnerabilities/164744>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n## Affected Products and Versions\n\nIBM Spectrum Symphony | 7.2.1 \n---|--- \nIBM Spectrum Symphony | 7.2.0.2 \nIBM Spectrum Symphony | 7.1.2 \nIBM Platform Symphony | 7.1.1 \nIBM Platform Symphony | 7.1 Fix Pack 1 \n \n## Remediation/Fixes\n\nDownload the interim fixes that correspond to your product version from IBM Fix Central, then follow the steps in the accompanying readme to apply the interim fix on Linux x86_64 hosts in your cluster: IBM Spectrum Symphony 7.2.1 | [sym-7.2.1-build531757](<http://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm/Other+software/IBM+Spectrum+Symphony&release=All&platform=All&function=fixId&fixids=sym-7.2.1-build521112&includeSupersedes=0>) \n---|--- \nIBM Spectrum Symphony 7.2.0.2 | [sym-7.2.0.2-build531756](<http://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm/Other+software/IBM+Spectrum+Symphony&release=All&platform=All&function=fixId&fixids=sym-7.2.0.2-build521104&includeSupersedes=0>) \nIBM Spectrum Symphony 7.1.2 | [sym-7.1.2-build531754](<http://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm/Other+software/IBM+Spectrum+Symphony&release=All&platform=All&function=fixId&fixids=sym-7.1.2-build521103&includeSupersedes=0>) \nIBM Platform Symphony 7.1.1 | \n\n[sym-7.1.1-build531752](<http://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm/Other+software/Platform+Symphony&release=All&platform=All&function=fixId&fixids=sym-7.1.1-build521102&includeSupersedes=0>) \n \nIBM Platform Symphony 7.1 Fix Pack 1 | [sym-7.1-build531748](<http://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm/Other+software/Platform+Symphony&release=All&platform=All&function=fixId&fixids=sym-7.1-build521096&includeSupersedes=0>) \n \n## Workarounds and Mitigations\n\nNone.\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-12-20T08:47:33", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in jackson-databind affect IBM Platform Symphony and IBM Spectrum Symphony", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-14379", "CVE-2019-14439", "CVE-2019-14540", "CVE-2019-16335"], "modified": "2019-12-20T08:47:33", "id": "9AB1E803E873C7A84CE99F66DE88AF1E8B46E7101BF649CF589989C1581AAA3B", "href": "https://www.ibm.com/support/pages/node/1106763", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-24T01:39:24", "description": "## Summary\n\nIBM Watson Discovery for IBM Cloud Pak for Data ships with versions of FasterXML jackson-databind vulnerable to serialization gadgets.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2019-17267](<https://vulners.com/cve/CVE-2019-17267>) \n** DESCRIPTION: **A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup. \nCVSS Base score: 7.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/168514](<https://exchange.xforce.ibmcloud.com/vulnerabilities/168514>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nICP - Discovery| 2.0.0-2.0.1 \n \n\n\n## Remediation/Fixes\n\nUpgrade to IBM Watson Discovery 2.1\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-12-20T08:47:33", "type": "ibm", "title": "Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in FasterXML jackson-databind", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-17267"], "modified": "2019-12-20T08:47:33", "id": "BA52B3AF65440148334C9734035B65F3CECB36A8D91122A0BF7EEA75DD6FF353", "href": "https://www.ibm.com/support/pages/node/1126347", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-24T01:39:23", "description": "## Summary\n\nIBM Watson Discovery for IBM Cloud Pak for Data ships with versions of FasterXML jackson-databind vulnerable to serialization gadgets.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2019-17531](<https://vulners.com/cve/CVE-2019-17531>) \n** DESCRIPTION: **A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the apache-log4j-extra (version 1.2.x) jar in the classpath, and an attacker can provide a JNDI service to access, it is possible to make the service execute a malicious payload. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/169073](<https://exchange.xforce.ibmcloud.com/vulnerabilities/169073>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nICP - Discovery| 2.0.0-2.0.1 \n \n\n\n## Remediation/Fixes\n\nUpgrade to IBM Watson Discovery 2.1 \n\n<https://www.ibm.com/support/knowledgecenter/SSQNUZ_2.5.0/cpd/svc/watson/discovery-install.html>\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-12-20T08:47:33", "type": "ibm", "title": "Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in FasterXML jackson-databind", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-17531"], "modified": "2019-12-20T08:47:33", "id": "57D600CD2AA47C0B8ED95337C0FAC5BB49FA1D0A06E1B389ADB391978858A509", "href": "https://www.ibm.com/support/pages/node/1126395", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-27T21:52:29", "description": "## Summary\n\nThere are multiple vulnerabilities that are used by IBM Jazz Team Server affecting the following IBM Jazz Team Server based Applications: Engineering Lifecycle Management (ELM), IBM Engineering Requirements Management DOORS Next (DOORS Next), IBM Engineering Lifecycle Optimization - Engineering Insights (ENI), IBM Engineering Workflow Management (EWM), IBM Engineering Systems Design Rhapsody - Design Manager (RDM), IBM Engineering Systems Design Rhapsody - Model Manager (RMM).\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2020-4410](<https://vulners.com/cve/CVE-2020-4410>) \n** DESCRIPTION: **IBM Engineering Test Management could allow an authenticated user to send a specially crafted HTTP GET request to read attachments on the server that they should not have access to. \nCVSS Base score: 4.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/179539](<https://exchange.xforce.ibmcloud.com/vulnerabilities/179539>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) \n \n** CVEID: **[CVE-2020-4542](<https://vulners.com/cve/CVE-2020-4542>) \n** DESCRIPTION: **IBM Engineering Requirements Management DOORS Next Generation is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. \nCVSS Base score: 5.4 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/183046](<https://exchange.xforce.ibmcloud.com/vulnerabilities/183046>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2020-4525](<https://vulners.com/cve/CVE-2020-4525>) \n** DESCRIPTION: **IBM Engineering Workflow Management is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. \nCVSS Base score: 5.4 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/182435](<https://exchange.xforce.ibmcloud.com/vulnerabilities/182435>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2020-11620](<https://vulners.com/cve/CVE-2020-11620>) \n** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization in org.apache.commons.jelly.impl.Embedded (aka commons-jelly). By sending specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/179431](<https://exchange.xforce.ibmcloud.com/vulnerabilities/179431>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2020-11619](<https://vulners.com/cve/CVE-2020-11619>) \n** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization in org.springframework.aop.config.MethodLocatingFactoryBean (aka spring-aop). By sending specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/179430](<https://exchange.xforce.ibmcloud.com/vulnerabilities/179430>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2020-11113](<https://vulners.com/cve/CVE-2020-11113>) \n** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization in org.apache.openjpa.ee.WASRegistryManagedRuntime (aka openjpa). By sending specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/178903](<https://exchange.xforce.ibmcloud.com/vulnerabilities/178903>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2020-11112](<https://vulners.com/cve/CVE-2020-11112>) \n** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization in org.apache.commons.proxy.provider.remoting.RmiProvider (aka apache/commons-proxy). By sending specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/178902](<https://exchange.xforce.ibmcloud.com/vulnerabilities/178902>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2020-11111](<https://vulners.com/cve/CVE-2020-11111>) \n** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization in org.apache.activemq.* (aka activemq-jms, activemq-core, activemq-pool, and activemq-pool-jms). By sending specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/178901](<https://exchange.xforce.ibmcloud.com/vulnerabilities/178901>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2020-10969](<https://vulners.com/cve/CVE-2020-10969>) \n** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization in javax.swing.JEditorPane. By sending specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/178546](<https://exchange.xforce.ibmcloud.com/vulnerabilities/178546>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2020-10968](<https://vulners.com/cve/CVE-2020-10968>) \n** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization in org.aoju.bus.proxy.provider.remoting.RmiProvider (aka bus-proxy). By sending specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/178544](<https://exchange.xforce.ibmcloud.com/vulnerabilities/178544>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2020-10673](<https://vulners.com/cve/CVE-2020-10673>) \n** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization in com.caucho.config.types.ResourceRef (aka caucho-quercus). By sending specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/178107](<https://exchange.xforce.ibmcloud.com/vulnerabilities/178107>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2020-10672](<https://vulners.com/cve/CVE-2020-10672>) \n** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization in org.apache.aries.transaction.jms.internal.XaPooledConnectionFactory (aka aries.transaction.jms). By sending specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/178104](<https://exchange.xforce.ibmcloud.com/vulnerabilities/178104>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2019-14893](<https://vulners.com/cve/CVE-2019-14893>) \n** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization when using the xalan JNDI gadget. By sending specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/177108](<https://exchange.xforce.ibmcloud.com/vulnerabilities/177108>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2019-14892](<https://vulners.com/cve/CVE-2019-14892>) \n** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization when using commons-configuration 1 and 2 JNDI classes. By sending specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/177106](<https://exchange.xforce.ibmcloud.com/vulnerabilities/177106>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2020-9547](<https://vulners.com/cve/CVE-2020-9547>) \n** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by the mishandling of interaction between serialization gadgets and typing in com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig (aka ibatis-sqlmap). By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/177103](<https://exchange.xforce.ibmcloud.com/vulnerabilities/177103>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2020-9546](<https://vulners.com/cve/CVE-2020-9546>) \n** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by the mishandling of interaction between serialization gadgets and typing in org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig (aka shaded hikari-config). By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/177102](<https://exchange.xforce.ibmcloud.com/vulnerabilities/177102>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2020-8840](<https://vulners.com/cve/CVE-2020-8840>) \n** DESCRIPTION: **Multiple Huawei products could allow a remote attacker to execute arbitrary code on the system, caused by the deserialization of data without proper validation. By sending a specially crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/185699](<https://exchange.xforce.ibmcloud.com/vulnerabilities/185699>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2019-20330](<https://vulners.com/cve/CVE-2019-20330>) \n** DESCRIPTION: **A lacking of certain net.sf.ehcache blocking in FasterXML jackson-databind has an unknown impact and attack vector. \nCVSS Base score: 7.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/173897](<https://exchange.xforce.ibmcloud.com/vulnerabilities/173897>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) \n \n** CVEID: **[CVE-2019-17531](<https://vulners.com/cve/CVE-2019-17531>) \n** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by a polymorphic typing issue when Default Typing is enabled. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/169073](<https://exchange.xforce.ibmcloud.com/vulnerabilities/169073>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2019-17267](<https://vulners.com/cve/CVE-2019-17267>) \n** DESCRIPTION: **FasterXML jackson-databind could provide weaker than expected security, caused by a polymorphic typing issue in the net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup. A remote attacker could exploit this vulnerability to launch further attacks on the system. \nCVSS Base score: 7.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/168514](<https://exchange.xforce.ibmcloud.com/vulnerabilities/168514>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) \n \n** CVEID: **[CVE-2019-16943](<https://vulners.com/cve/CVE-2019-16943>) \n** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by a polymorphic typing issue in the p6spy class. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/168255](<https://exchange.xforce.ibmcloud.com/vulnerabilities/168255>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2019-16942](<https://vulners.com/cve/CVE-2019-16942>) \n** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by a polymorphic typing issue in the commons-dbcp class. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/168254](<https://exchange.xforce.ibmcloud.com/vulnerabilities/168254>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2019-16335](<https://vulners.com/cve/CVE-2019-16335>) \n** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to obtain sensitive information, caused by a polymorphic typing issue in com.zaxxer.hikari.HikariDataSource. A remote attacker could exploit this vulnerability to obtain sensitive information. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/167205](<https://exchange.xforce.ibmcloud.com/vulnerabilities/167205>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) \n \n** CVEID: **[CVE-2019-14540](<https://vulners.com/cve/CVE-2019-14540>) \n** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to obtain sensitive information, caused by a polymorphic typing issue in com.zaxxer.hikari.HikariConfig. A remote attacker could exploit this vulnerability to obtain sensitive information. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/167354](<https://exchange.xforce.ibmcloud.com/vulnerabilities/167354>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) \n \n** CVEID: **[CVE-2019-14439](<https://vulners.com/cve/CVE-2019-14439>) \n** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to obtain sensitive information, caused by a polymorphic typing issue when Default Typing is enabled. A remote attacker could exploit this vulnerability to obtain sensitive information. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/164744](<https://exchange.xforce.ibmcloud.com/vulnerabilities/164744>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) \n \n** CVEID: **[CVE-2019-14379](<https://vulners.com/cve/CVE-2019-14379>) \n** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by a flaw in the SubTypeValidator.java. An attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/165286](<https://exchange.xforce.ibmcloud.com/vulnerabilities/165286>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2019-12384](<https://vulners.com/cve/CVE-2019-12384>) \n** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by the failure to block the logback-core class from polymorphic deserialization. By sending a specially-crafted JSON message, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/162849](<https://exchange.xforce.ibmcloud.com/vulnerabilities/162849>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2019-12814](<https://vulners.com/cve/CVE-2019-12814>) \n** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to obtain sensitive information, caused by a polymorphic typing issue. By sending a specially-crafted JSON message, an attacker could exploit this vulnerability to read arbitrary local files on the server. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/162875](<https://exchange.xforce.ibmcloud.com/vulnerabilities/162875>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) \n \n** CVEID: **[CVE-2020-2785](<https://vulners.com/cve/CVE-2020-2785>) \n** DESCRIPTION: **An unspecified vulnerability in Oracle Fusion Middleware related to the Outside In Technology Outside In Filters component could allow an unauthenticated attacker to cause low confidentiality impact, low integrity impact, and low availability impact. \nCVSS Base score: 7.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/179685](<https://exchange.xforce.ibmcloud.com/vulnerabilities/179685>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) \n \n** CVEID: **[CVE-2020-2784](<https://vulners.com/cve/CVE-2020-2784>) \n** DESCRIPTION: **An unspecified vulnerability in Oracle Fusion Middleware related to the Outside In Technology Outside In Filters component could allow an unauthenticated attacker to cause low confidentiality impact, low integrity impact, and low availability impact. \nCVSS Base score: 7.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/179684](<https://exchange.xforce.ibmcloud.com/vulnerabilities/179684>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) \n \n** CVEID: **[CVE-2020-2787](<https://vulners.com/cve/CVE-2020-2787>) \n** DESCRIPTION: **An unspecified vulnerability in Oracle Fusion Middleware related to the Outside In Technology Outside In Filters component could allow an unauthenticated attacker to cause low confidentiality impact, low integrity impact, and low availability impact. \nCVSS Base score: 7.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/179687](<https://exchange.xforce.ibmcloud.com/vulnerabilities/179687>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) \n \n** CVEID: **[CVE-2020-2783](<https://vulners.com/cve/CVE-2020-2783>) \n** DESCRIPTION: **An unspecified vulnerability in Oracle Fusion Middleware related to the Outside In Technology Outside In Filters component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/179683](<https://exchange.xforce.ibmcloud.com/vulnerabilities/179683>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) \n \n** CVEID: **[CVE-2020-2786](<https://vulners.com/cve/CVE-2020-2786>) \n** DESCRIPTION: **An unspecified vulnerability in Oracle Fusion Middleware related to the Outside In Technology Outside In Filters component could allow an unauthenticated attacker to cause low confidentiality impact, low integrity impact, and low availability impact. \nCVSS Base score: 7.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/179686](<https://exchange.xforce.ibmcloud.com/vulnerabilities/179686>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) \n \n** CVEID: **[CVE-2020-4396](<https://vulners.com/cve/CVE-2020-4396>) \n** DESCRIPTION: **IBM Engineering Test Management is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. \nCVSS Base score: 5.4 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/179359](<https://exchange.xforce.ibmcloud.com/vulnerabilities/179359>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nRQM| 6.0.6.1 \nRQM| 6.0.6 \nETM| 7.0.0 \nRQM| 6.0.2 \nEWM| 7.0 \nCLM| 6.0.6.1 \nCLM| 6.0.6 \nELM| 7.0 \nCLM| 6.0.2 \nRDNG| 6.0.2 \nRDNG| 6.0.6.1 \nRDNG| 6.0.6 \nDOORS Next| 7.0 \n \n\n\n## Remediation/Fixes\n\nFor the 6.0 - 7.0 releases:\n\nUpgrade to version 7.0 iFix003 or later\n\n * [IBM Engineering Lifecycle Management 7.0 iFix003](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Engineering&product=ibm/Rational/IBM+Engineering+Lifecycle+Management&release=7.0&platform=All&function=all> \"IBM Engineering Lifecycle Management 7.0 iFix003\" )\n * [IBM Engineering Requirements Management DOORS Next 7.0 iFix003](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Engineering&product=ibm/Rational/IBM+Engineering+Requirements+Management+DOORS+Next&release=7.0&platform=All&function=all> \"IBM Engineering Requirements Management DOORS Next 7.0 iFix003\" )\n * [IBM Engineering Test Management 7.0 iFix003](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Engineering&product=ibm/Rational/IBM+Engineering+Test+Management&release=7.0&platform=All&function=all> \"IBM Engineering Test Management 7.0 iFix003\" )\n * [IBM Engineering Workflow Management 7.0 iFix003](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Engineering&product=ibm/Rational/IBM+Engineering+Workflow+Management&release=7.0&platform=All&function=all> \"IBM Engineering Workflow Management 7.0 iFix003\" )\n * IBM Engineering Lifecycle Optimization - Engineering Insights:_ _Upgrade to version 7.0 and install server from [ELM 7.0 iFix003](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Engineering&product=ibm/Rational/IBM+Engineering+Lifecycle+Management&release=7.0&platform=All&function=all> \"ELM 7.0 iFix003\" )\n * IBM Engineering Systems Design Rhapsody - Design Manager:_ _Upgrade to version 7.0 and install server from [ELM 7.0 iFix003](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Engineering&product=ibm/Rational/IBM+Engineering+Lifecycle+Management&release=7.0&platform=All&function=all> \"ELM 7.0 iFix003\" )\n * IBM Engineering Systems Design Rhapsody - Model Manager:_ _Upgrade to version 7.0 and install server from [ELM 7.0 iFix003](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Engineering&product=ibm/Rational/IBM+Engineering+Lifecycle+Management&release=7.0&platform=All&function=all> \"ELM 7.0 iFix003\" )\n 1. Upgrade to version 6.0.6.1 iFix011 or later\n\n * [Rational Collaborative Lifecycle Management 6.0.6.1 iFix011](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Rational&product=ibm/Rational/Rational+Collaborative+Lifecycle+Management+Solution&release=6.0.6.1&platform=All&function=all>)\n * [Rational DOORS Next Generation 6.0.6.1 iFix011](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Rational&product=ibm/Rational/Rational+DOORS+Next+Generation&release=6.0.6.1&platform=All&function=all>)\n * [Rational Quality Manager 6.0.6.1 iFix011](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Rational&product=ibm/Rational/Rational+Quality+Manager&release=6.0.6.1&platform=All&function=all>)\n * [Rational Team Concert 6.0.6.1 iFix011](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Rational&product=ibm/Rational/Rational+Team+Concert&release=6.0.6.1&platform=All&function=all>)\n * Rational Engineering Lifecycle Manager:_ _Upgrade to version 6.0.6.1 and install server from [CLM 6.0.6.1 iFix011](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Rational&product=ibm/Rational/Rational+Collaborative+Lifecycle+Management+Solution&release=6.0.6.1&platform=All&function=all>)\n * Rational Rhapsody Design Manager:_ _Upgrade to version 6.0.6.1 and install server from [CLM 6.0.6.1 iFix011](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Rational&product=ibm/Rational/Rational+Collaborative+Lifecycle+Management+Solution&release=6.0.6.1&platform=All&function=all>)\n * IBM Rhapsody Model Manager:_ _Upgrade to version 6.0.6.1 and install server from [CLM 6.0.6.1 iFix011](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Rational&product=ibm/Rational/Rational+Collaborative+Lifecycle+Management+Solution&release=6.0.6.1&platform=All&function=all>)\n * Rational Software Architect Design Manager:_ _Upgrade to version 6.0.6.1 and install server from [CLM 6.0.6.1 iFix011](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Rational&product=ibm/Rational/Rational+Collaborative+Lifecycle+Management+Solution&release=6.0.6.1&platform=All&function=all>)\n\nUpgrade to version 6.0.6 iFix017 or later \n\n * [Rational Collaborative Lifecycle Management 6.0.6 iFix017](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Rational&product=ibm/Rational/Rational+Collaborative+Lifecycle+Management+Solution&release=6.0.6&platform=All&function=all>)\n * [Rational DOORS Next Generation 6.0.6 iFix017](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Rational&product=ibm/Rational/Rational+DOORS+Next+Generation&release=6.0.6&platform=All&function=all>)\n * [Rational Quality Manager 6.0.6 iFix017](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Rational&product=ibm/Rational/Rational+Quality+Manager&release=6.0.6&platform=All&function=all>)\n * [Rational Team Concert 6.0.6 iFix017](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Rational&product=ibm/Rational/Rational+Team+Concert&release=6.0.6&platform=All&function=all>)\n * Rational Engineering Lifecycle Manager:_ _Upgrade to version 6.0.6 and install server from [CLM 6.0.6 iFix017](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Rational&product=ibm/Rational/Rational+Collaborative+Lifecycle+Management+Solution&release=6.0.6&platform=All&function=all>)\n * Rational Rhapsody Design Manager:_ _Upgrade to version 6.0.6 and install server from [CLM 6.0.6 iFix017](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Rational&product=ibm/Rational/Rational+Collaborative+Lifecycle+Management+Solution&release=6.0.6&platform=All&function=all>)\n * IBM Rhapsody Model Manager:_ _Upgrade to version 6.0.6 and install server from [CLM 6.0.6 iFix017](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Rational&product=ibm/Rational/Rational+Collaborative+Lifecycle+Management+Solution&release=6.0.6&platform=All&function=all>)\n * Rational Software Architect Design Manager:_ _Upgrade to version 6.0.6 and install server from [CLM 6.0.6 iFix017](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Rational&product=ibm/Rational/Rational+Collaborative+Lifecycle+Management+Solution&release=6.0.6&platform=All&function=all>)\n\nUpgrade to version 6.0.2 iFix025 or later\n\n * [Rational Collaborative Lifecycle Management 6.0.2 iFix025](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Rational&product=ibm/Rational/Rational+Collaborative+Lifecycle+Management+Solution&release=6.0.2&platform=All&function=all>)\n * [Rational Team Concert 6.0.2 iFix025](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Rational&product=ibm/Rational/Rational+Team+Concert&release=6.0.2&platform=All&function=all>)\n * [Rational Quality Manager 6.0.2 iFix025](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Rational&product=ibm/Rational/Rational+Quality+Manager&release=6.0.2&platform=All&function=all>)\n * [Rational DOORS Next Generation 6.0.2 iFix025](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Rational&product=ibm/Rational/Rational+DOORS+Next+Generation&release=6.0.2&platform=All&function=all>)\n * Rational Software Architect Design Manager:_ _Upgrade to version 6.0.2 and install server from [CLM 6.0.2 iFix025](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Rational&product=ibm/Rational/Rational+Collaborative+Lifecycle+Management+Solution&release=6.0.2&platform=All&function=all>)\n * Rational Rhapsody Design Manager:_ _Upgrade to version 6.0.2 and install server from [CLM 6.0.2 iFix025](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Rational&product=ibm/Rational/Rational+Collaborative+Lifecycle+Management+Solution&release=6.0.2&platform=All&function=all>)\n * Rational Engineering Lifecycle Manager:_ _Upgrade to version 6.0.2 and install server from [CLM 6.0.2 iFix025](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Rational&product=ibm/Rational/Rational+Collaborative+Lifecycle+Management+Solution&release=6.0.2&platform=All&function=all>)\n\n \nFor any prior versions of the products listed above, IBM recommends upgrading to a fixed, supported version/release/platform of the product. \n \nIf the iFix is not found in the Fix Portal please contact IBM Support.\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-08-03T22:41:05", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities affects IBM Jazz Foundation and IBM Engineering products.", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-12384", "CVE-2019-12814", "CVE-2019-14379", "CVE-2019-14439", "CVE-2019-14540", "CVE-2019-14892", "CVE-2019-14893", "CVE-2019-16335", "CVE-2019-16942", "CVE-2019-16943", "CVE-2019-17267", "CVE-2019-17531", "CVE-2019-20330", "CVE-2020-10672", "CVE-2020-10673", "CVE-2020-10968", "CVE-2020-10969", "CVE-2020-11111", "CVE-2020-11112", "CVE-2020-11113", "CVE-2020-11619", "CVE-2020-11620", "CVE-2020-2783", "CVE-2020-2784", "CVE-2020-2785", "CVE-2020-2786", "CVE-2020-2787", "CVE-2020-4396", "CVE-2020-4410", "CVE-2020-4525", "CVE-2020-4542", "CVE-2020-8840", "CVE-2020-9546", "CVE-2020-9547"], "modified": "2020-08-03T22:41:05", "id": "CCFD0AA6FE0B04D655CB682E840C88D56CFE6066B6B9B349560AFB2C6DFBCB00", "href": "https://www.ibm.com/support/pages/node/6255694", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-24T05:44:49", "description": "## Summary\n\nFasterXML Jackson library is shipped as a component of IBM Tivoli Netcool/OMNIbus Transport Module Common Integration Library and Transformer for Message Bus Integration. Information about security vulnerabilities affecting FasterXML Jackson library has been published.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2019-14540](<https://vulners.com/cve/CVE-2019-14540>) \n** DESCRIPTION: **A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariConfig. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/167354](<https://exchange.xforce.ibmcloud.com/vulnerabilities/167354>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM Tivoli Netcool/OMNIbus Integration - Transport Module Common Integration Library| common-transportmodule-15_0 up to and including common-transportmodule-22_0 \nIBM Tivoli Netcool/OMNIbus Integration - Transformer for Message Bus Integration| common-transformer-8_0 up to and including common-transformer-10_0 \n \n\n\n## Remediation/Fixes\n\nUpdated Product(s)| Version(s) \n---|--- \nIBM Tivoli Netcool/OMNIbus Integration - Transport Module Common Integration Library| [common-transportmodule-23_0](<https://www-01.ibm.com/support/docview.wss?uid=swg21698166> \"common-transportmodule-23_0\" ) \nIBM Tivoli Netcool/OMNIbus Integration - Transformer for Message Bus Integration| [common-transformer-11_0](<http://www-01.ibm.com/support/docview.wss?uid=swg21665222> \"common-transformer-11_0\" ) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-02-18T04:10:14", "type": "ibm", "title": "Security Bulletin: A vulnerability has been identified in FasterXML Jackson library shipped with IBM Tivoli Netcool/OMNIbus Common Integration Libraries (CVE-2019-14540)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-14540"], "modified": "2020-02-18T04:10:14", "id": "2FD3E49CE60F2B203500062AB6489DE468C043F3E44529783A2D6A816327E9F5", "href": "https://www.ibm.com/support/pages/node/2801613", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-24T01:39:25", "description": "## Summary\n\nIBM Watson Discovery for IBM Cloud Pak for Data ships with versions of FasterXML jackson-databind vulnerable to serialization gadgets.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2019-14540](<https://vulners.com/cve/CVE-2019-14540>) \n** DESCRIPTION: **A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariConfig. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/167354](<https://exchange.xforce.ibmcloud.com/vulnerabilities/167354>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nICP - Discovery| 2.0.0-2.0.1 \n \n\n\n## Remediation/Fixes\n\nUpgrade to IBM Watson Discovery 2.1\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-12-20T08:47:33", "type": "ibm", "title": "Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in FasterXML jackson-databind", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-14540"], "modified": "2019-12-20T08:47:33", "id": "284009013594AC874FBB6555FD1C3E3775FEBDC4274891F220C759B5966E4021", "href": "https://www.ibm.com/support/pages/node/1126359", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-27T21:50:14", "description": "## Summary\n\nIBM Security Guardium has fixed this vulnerability \n\n## Vulnerability Details\n\n** CVEID: **[CVE-2019-10086](<https://vulners.com/cve/CVE-2019-10086>) \n** DESCRIPTION: **Apache Commons Beanutils could allow a remote attacker to gain unauthorized access to the system, caused by the failure to suppresses the class property in bean introspection by default. An attacker could exploit this vulnerability to gain unauthorized access to the classloader. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/166353](<https://exchange.xforce.ibmcloud.com/vulnerabilities/166353>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM Security Guardium| 11.1 \n \n\n\n## Remediation/Fixes\n\nProduct| Versions| Fix \n---|---|--- \nIBM Security Guardium| 11.1| [http://www.ibm.com/support/fixcentral/swg/quickorder?parent=IBM%20Security&product=ibm/Information+Management/InfoSphere+Guardium&release=11.0&platform=All&function=fixId&fixids=SqlGuard_11.0p120_Bundle_Sep-27-2020&includeSupersedes=0&source=fc](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=IBM%20Security&product=ibm/Information+Management/InfoSphere+Guardium&release=11.0&platform=All&function=fixId&fixids=SqlGuard_11.0p120_Bundle_Sep-27-2020&includeSupersedes=0&source=fc>) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 7.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.4}, "published": "2020-10-06T16:30:13", "type": "ibm", "title": "Security Bulletin: IBM Security Guardium is affected by an Apache commons beanutils 1.9.2 library vulnerability", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10086"], "modified": "2020-10-06T16:30:13", "id": "17179127276D2C8BCC739D66B23A070D5DCF232A120A9E4EF31DA0C49E8077B9", "href": "https://www.ibm.com/support/pages/node/6343291", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-27T21:55:02", "description": "## Summary\n\nIBM WebSphere Application Server is shipped as a component of IBM Tivoli Business Service Manager. Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\n_Principal Product and Version(s)_| _Affected Supporting Product and Version_ \n---|--- \nIBM Tivoli Business Service Manager 6.1.x| IBM WebSphere Application Server 7.0 \nIBM Tivoli Business Service Manager 6.2.0| IBM WebSphere Application Server 8.5 \n \n \n\n\n## Remediation/Fixes\n\n_Principal Product and Version(s)_| _Affected Supporting Product and Version_ \n---|--- \nIBM Tivoli Business Service Manager 6.1.x| [Security Bulletin: WebSphere Application Server is vulnerable to Apache Commons Beanutils (CVE-2019-10086)](<https://www.ibm.com/support/pages/node/1115085> \"Security Bulletin: WebSphere Application Server is vulnerable to Apache Commons Beanutils \$CVE-2019-10086\$\" )\n\nFor IBM WebSphere Application Server V7.0.0.0 through 7.0.0.45: \nThis vulnerability requires IBM WebSphere Application Server fix pack levels as required by interim fix and then apply Interim Fix [PH17557](<https://www.ibm.com/support/pages/node/1110453> \"PH17557\" ). \nFor instruction on how to upgrade IBM WebSphere Application Server see the latest 6.1.* Tivoli Business Service Manager Fix Pack readme. \n \nIBM Tivoli Business Service Manager 6.2.0| \n\n[Security Bulletin: WebSphere Application Server is vulnerable to Apache Commons Beanutils (CVE-2019-10086)](<https://www.ibm.com/support/pages/node/1115085> \"Security Bulletin: WebSphere Application Server is vulnerable to Apache Commons Beanutils \$CVE-2019-10086\$\" )\n\nFor IBM WebSphere Application Server V8.5.0.0 through 8.5.5.16: \nThis vulnerability requires IBM WebSphere Application Server fix pack levels as required by interim fix and then apply Interim Fix [PH17557](<https://www.ibm.com/support/pages/node/1110453> \"PH17557\" ). \n\\--OR-- \nApply Fix Pack [8.5.5.17](<https://www.ibm.com/support/pages/node/3444555> \"\" ). \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 7.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.4}, "published": "2020-06-11T09:51:13", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Tivoli Business Service Manager (CVE-2019-10086)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10086"], "modified": "2020-06-11T09:51:13", "id": "DC05F94C20E54530B22A0F7C5D47B16BEB79F796391043B6D8D2F3934DA6C247", "href": "https://www.ibm.com/support/pages/node/6226068", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-23T21:40:48", "description": "## Summary\n\nIBM Financial Transaction Manager for Corporate Payment Services (FTM CPS) for Multi-Platform has addressed the following vulnerability. A potential vulnerability in the Apache Commons Beanutils module could allow unauthorized access to the classloader.\n\n## Vulnerability Details\n\n**CVEID:** [CVE-2019-10086](<https://vulners.com/cve/CVE-2019-10086>) \n**DESCRIPTION:** Apache Commons Beanutils could allow a remote attacker to gain unauthorized access to the system, caused by the failure to suppresses the class property in bean introspection by default. An attacker could exploit this vulnerability to gain unauthorized access to the classloader. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/166353> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)\n\n## Affected Products and Versions\n\nv3.0.2.0 - 3.0.2.1, v3.2.1.0\n\n## Remediation/Fixes\n\n_Product_\n\n| \n\n_VRMF_\n\n| \n\n_APAR_\n\n| \n\n_Remediation/First Fix_ \n \n---|---|---|--- \nFTM CPS | 3.0.2.0 - 3.0.2.1 | PH16877 | [3.0.2.1-FTM-CPS-MP-iFix0020](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=Financial%2BOperations&product=ibm/Other+software/Financial+Transaction+Manager&release=All&platform=All&function=fixId&fixids=3.0.2.1-FTM-CPS-MP-iFix0020&includeSupersedes=0&source=fc>) \nFTM CPS | 3.2.1.0 | PH16877 | [_3.2.1.0-FTM-CPS-MP-iFix0002_](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=Financial%2BOperations&product=ibm/Other+software/Financial+Transaction+Manager&release=All&platform=All&function=fixId&fixids=3.2.1.0-FTM-CPS-MP-iFix0002&includeSupersedes=0&source=fc>) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 7.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.4}, "published": "2020-02-21T17:52:58", "type": "ibm", "title": "Security Bulletin: Financial Transaction Manager for Corporate Payment Services is affected by a potential validation vulnerability (CVE-2019-10086)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10086"], "modified": "2020-02-21T17:52:58", "id": "7E120392C6B27EF023444674C7B2E2BB0AF1032844B5941C3D340385D2344B0E", "href": "https://www.ibm.com/support/pages/node/1073870", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-24T01:40:04", "description": "## Summary\n\nIBM WebSphere Application Server (WAS) is shipped as a component of IBM Rational ClearCase. Information about security vulnerabilities affecting WAS have been published in security bulletins.\n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section.\n\n## Affected Products and Versions\n\nIBM Rational ClearCase, ClearCase Remote Client (CCRC) WAN server component.\n\n**Versions 8.0.0.x, 8.0.1.x, 9.0.0.x, 9.0.1.x:**\n\n * These vulnerabilities only applies to the CCRC WAN server component, and only for certain levels of WebSphere Application Server.\n\n## Remediation/Fixes\n\nRefer to the following security bulletin(s) for vulnerability details and information about fixes addressed by IBM WebSphere Application Server (WAS) which is shipped with IBM Rational ClearCase.\n\n**Principal Product and Version(s)** | **Affected Supporting Product and Version** | **Affected Supporting Product Security Bulletin** \n---|---|--- \nIBM Rational ClearCase, versions 8.0.0.x, 8.0.1.x, 9.0.0.x, 9.0.1.x | IBM WebSphere Application Server version 7.0, 8.0, 8.5, and 9.0. | \n\n[Security Bulletin: WebSphere Application Server is vulnerable to Apache Commons Beanutils (CVE-2019-10086)](<https://www.ibm.com/support/pages/node/1115085>) \n \n**ClearCase Versions**\n\n| \n\n**Applying the fix** \n \n---|--- \n8.0.0.x, 8.0.1.x, 9.0.0.x, 9.0.1.x | \n\n 1. Determine the WAS version used by your CCRC WAN server. Navigate to the CCRC profile directory (either the profile you specified when installing ClearCase, or `<ccase-home>/common/ccrcprofile`), then execute the script: `bin/versionInfo.sh `(UNIX) or `bin\\versionInfo.bat `(Windows). The output includes a section \"IBM WebSphere Application Server\". Make note of the version listed in this section. Check your installed version of IBM WebSphere Application Server against this bulletin's list of vulnerable versions.\n 2. Identify the latest available fixes (per the bulletin(s) listed above) for the version of WAS used for CCRC WAN server.\n 3. Apply the appropriate WebSphere Application Server fix directly to your CCRC WAN server host. No ClearCase-specific steps are necessary. \n \n_For 8.0.x and earlier releases, IBM recommends upgrading to a fixed, supported version/release/platform of the product._\n\n## Workarounds and Mitigations\n\nNone.\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 7.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.4}, "published": "2019-12-03T21:16:37", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Rational ClearCase (CVE-2019-10086)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10086"], "modified": "2019-12-03T21:16:37", "id": "5A2425933E89E2C50FE1F3B1903983FFF1089EEE55483682712FA0DB9D6A700B", "href": "https://www.ibm.com/support/pages/node/1119387", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-24T01:40:02", "description": "## Summary\n\nIBM WebSphere Application Server (WAS) is used by the IBM Rational ClearQuest server and web components. Information about a security vulnerability affecting WAS has been published in a security bulletin. \n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section.\n\n## Affected Products and Versions\n\nIBM Rational ClearQuest, ClearQuest CM Server component.\n\n**Versions 8.0.0.x, 8.0.1.x, 9.0.0.x, 9.0.1.x:**\n\nThis vulnerability only applies to the server component, and only for certain levels of WebSphere Application Server.\n\n## Remediation/Fixes\n\nRefer to the following security bulletin for vulnerability details and information about fixes addressed by IBM WebSphere Application Server (WAS), which is shipped with IBM Rational ClearQuest.\n\n**Principal Product and Version(s)** | **Affected Supporting Product and Version** | **Affected Supporting Product Security Bulletin** \n---|---|--- \nIBM Rational ClearQuest, versions 8.0.0.x, 8.0.1.x, 9.0.0.x, 9.0.1.x | IBM WebSphere Application Server version 7.0, 8.0, 8.5, and 9.0. | \n\n[Security Bulletin: WebSphere Application Server is vulnerable to Apache Commons Beanutils (CVE-2019-10086)](<https://www.ibm.com/support/pages/node/1115085>) \n \n**ClearQuest Versions**\n\n| \n\n**Applying the fix** \n \n---|--- \n8.0.0.x \n8.0.1.x \n9.0.0.x \n9.0.1.x | \n\n 1. Determine the WAS version used by your CM server. Navigate to the CM profile directory (either the profile you specified when installing ClearQuest, or `<clearquest-home>/cqweb/cqwebprofile`), then execute the script: `bin/versionInfo.sh `(UNIX) or `bin\\versionInfo.bat `(Windows). The output includes a section \"IBM WebSphere Application Server\". Make note of the version listed in this section.\n 2. Identify the latest available fix (per the bulletin listed above) for the version of WAS used for CM server.\n 3. Apply the appropriate WebSphere Application Server fix directly to your CM server host. No ClearQuest-specific steps are necessary. \n \n_For 8.0.x, 7.0.x, 7.1.x and earlier releases, IBM recommends upgrading to a fixed, supported version/release/platform of the product._\n\n## Workarounds and Mitigations\n\nNone.\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 7.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.4}, "published": "2019-12-10T02:23:50", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server which is used by IBM Rational ClearQuest (CVE-2019-10086)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10086"], "modified": "2019-12-10T02:23:50", "id": "07988475CE9095B9471700FFB4FFB199A58AB32837E3178BE094D53E97B8461A", "href": "https://www.ibm.com/support/pages/node/1125219", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-24T05:46:44", "description": "## Summary\n\nWebSphere Application Server is shipped with WebSphere Remote Server. Information about a security vulnerability affecting WebSphere Application Server has been published in a security bulletin. \n\n## Vulnerability Details\n\nRefer to the security bulletins(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\n**Affected Product(s)**| **Version(s)** \n---|--- \nIBM WebSphere Remote Server - Product Family| All \n \n\n\n## Remediation/Fixes\n\nRefer to the following security bulletins for vulnerability details and information about fixes addressed by WebSphere Application Server which is shipped with WebSphere Remote Server. \n\nPrincipal Product and Version(s)\n\n| \n\nAffected Supporting Product and Version\n\n| \n\nAffected Supporting Product Security Bulletin \n \n---|---|--- \n \nWebSphere Remote Server \n9.0, 8.5, 7.0\n\n| \n\nWebSphere Application Server 9.0, 8.5, 8.0, 7.0\n\n| \n\n[WebSphere Application Server is vulnerable to Apache Commons Beanutils (CVE-2019-10086)](<https://www.ibm.com/support/pages/node/1115085>) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 7.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.4}, "published": "2020-01-24T15:47:19", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in WebSphere Application Server shipped with WebSphere Remote Server (CVE-2019-10086)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10086"], "modified": "2020-01-24T15:47:19", "id": "7F1C012CC641EF0CCDD9BC749B665F263D22200F5DA78D27932DB5F6F0D9433E", "href": "https://www.ibm.com/support/pages/node/1283440", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-27T21:55:03", "description": "## Summary\n\nWebsphere Application Server (WAS) is shipped as a component of Tivoli Netcool/OMNIbus WebGUI. Information about a security vulnerability affecting WAS has been published in a security bulletin.\n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\nPrincipal Product and Version(s)| Affected Supporting Product and Version \n---|--- \nWebGUI 8.1.0 GA and FP| Websphere Application Server 8.5 \n \n\n\n## Remediation/Fixes\n\nPlease consult the security bulletin [WebSphere Application Server is vulnerable to Apache Commons Beanutils (CVE-2019-10086)](<https://www.ibm.com/support/pages/node/1115085> \"WebSphere Application Server is vulnerable to Apache Commons Beanutils \$CVE-2019-10086\$\" ) for vulnerability details and information about fixes.\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 7.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.4}, "published": "2020-06-10T03:22:51", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with Tivoli Netcool/OMNIbus WebGUI (CVE-2019-10086)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10086"], "modified": "2020-06-10T03:22:51", "id": "2B4BFF0D4D521D5012752D32EC9AED8D7B42C9CCDA58A0989CACAC0FE91E3799", "href": "https://www.ibm.com/support/pages/node/6221966", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-27T21:49:51", "description": "## Summary\n\nIBM WebSphere Application Server is shipped with or is a required product for IBM Tivoli Netcool Configuration Manager version 6.4.1 and 6.4.2. Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nITNCM| 6.4.1 \nITNCM| 6.4.2 \n \n \n\n\n## Remediation/Fixes\n\nAffected Product(s)| Version(s)| Remediation \n---|---|--- \nITNCM| 6.4.1| [WebSphere Application Server is vulnerable to Apache Commons Beanutils](<https://www.ibm.com/support/pages/node/1115085> \"WebSphere Application Server is vulnerable to Apache Commons Beanutils\" ) See sections For V7.0.0.0 through 7.0.0.45 \nITNCM| 6.4.2| [WebSphere Application Server is vulnerable to Apache Commons Beanutils](<https://www.ibm.com/support/pages/node/1115085> \"WebSphere Application Server is vulnerable to Apache Commons Beanutils\" ) See sections For V8.5.0.0 through 8.5.5.16 \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {}, "published": "2020-10-14T22:31:49", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server, which is shipped with or required product for IBM Tivoli Netcool Configuration Manager (CVE-2019-10086)", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2019-10086"], "modified": "2020-10-14T22:31:49", "id": "D9172969D61CF2C2B1320CAD15CAF5A2806FCA9580D5A6E5A2E2C98FF12E2386", "href": "https://www.ibm.com/support/pages/node/6348230", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-02-27T17:47:05", "description": "## Summary\n\nIBM WebSphere Application Server is shipped with IBM Tivoli Network Manager versions 3.9 and 4.1.1; IBM WebSphere Application Server is a required product for IBM Tivoli Network Manager version 4.2. Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nRefer to the security bulletins(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nITNM| 4.2 \nITNM| 4.1.1 \nITNM| 3.9 \n \n\n\n## Remediation/Fixes\n\nAffected Product(s)| Version(s)| Remediation \n---|---|--- \nITNM| 4.2| [WebSphere Application Server is vulnerable to Apache Commons Beanutils](<https://www.ibm.com/support/pages/security-bulletin-websphere-application-server-vulnerable-apache-commons-beanutils-cve-2019-10086-0> \"WebSphere Application Server is vulnerable to Apache Commons Beanutils\" )\n\nPlease see section: **For V8.5.0.0 through 8.5.5.16:** \n \nITNM| 4.1.1| \n\n\n[WebSphere Application Server is vulnerable to Apache Commons Beanutils](<https://www.ibm.com/support/pages/security-bulletin-websphere-application-server-vulnerable-apache-commons-beanutils-cve-2019-10086-0> \"WebSphere Application Server is vulnerable to Apache Commons Beanutils\" )\n\nPlease see section: **For V7.0.0.0 through 7.0.0.45:** \n \nITNM| 3.9| \n\n[WebSphere Application Server is vulnerable to Apache Commons Beanutils](<https://www.ibm.com/support/pages/security-bulletin-websphere-application-server-vulnerable-apache-commons-beanutils-cve-2019-10086-0> \"WebSphere Application Server is vulnerable to Apache Commons Beanutils\" )\n\nPlease see section: **For V7.0.0.0 through 7.0.0.45:** \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 7.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.4}, "published": "2020-03-24T12:04:50", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server, which is shipped with, or a required product for, IBM Tivoli Network Manager (CVE-2019-10086)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10086"], "modified": "2020-03-24T12:04:50", "id": "E652AD074D4537242E4F6F6865F5497FE3BCB4D68389AAE0D3EB706D9D1DD1ED", "href": "https://www.ibm.com/support/pages/node/6116530", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-24T01:39:14", "description": "## Summary\n\nWebSphere Application Server is shipped as a component of IBM WebSphere Application Server Patterns. Information about security vulnerabilities affecting WebSphere Application Server have been published in a security bulletin. \n\n## Vulnerability Details\n\nRefer to the security bulletins(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\n**Principal Product and Version(s)**\n\n| **Affected Supporting Product and Version** \n---|--- \nWebSphere Application Server Patterns, all versions| WebSphere Application Server: \n\n * 9.0\n * 8.5\n * 8.0 \n \n \n\n\n## Remediation/Fixes\n\nPlease consult the following security bulletin for vulnerability details and information about fixes \n\n * [WebSphere Application Server is vulnerable to Apache Commons Beanutils (CVE-2019-10086)](<https://www.ibm.com/support/pages/node/1115085> \"WebSphere Application Server is vulnerable to Apache Commons Beanutils \$CVE-2019-10086\$\" )\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 7.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.4}, "published": "2019-12-20T08:47:33", "type": "ibm", "title": "Security Bulletin: WebSphere Application Server bundled with IBM WebSphere Application Server Patterns is vulnerable to Apache Commons Beanutils (CVE-2019-10086)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10086"], "modified": "2019-12-20T08:47:33", "id": "38FAB199DF9F4E39A65615F1E108853EF74C41252303325B3AE91FF543CD105A", "href": "https://www.ibm.com/support/pages/node/1119267", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-24T05:46:41", "description": "## Summary\n\nWebSphere Application Server is shipped with IBM Tivoli Access Manager for e-business. Information about a security vulnerability affecting WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nRefer to the security bulletins(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\nAffected Product(s) | Version(s) \n---|--- \nIBM Tivoli Access Manager for e-business | 6.1.1.x \nIBM Tivoli Access Manager for e-business | 6.1.x \n \n## Remediation/Fixes\n\nRefer to the following security bulletins for vulnerability details and information about fixes addressed by WebSphere Application Server which is shipped with IBM Tivoli Access Manager for e-business \n\n[WebSphere Application Server is vulnerable to Apache Commons Beanutils (CVE-2019-10086)](<https://www.ibm.com/support/pages/node/1115085> \"WebSphere Application Server is vulnerable to Apache Commons Beanutils \$CVE-2019-10086\$\" )\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 7.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.4}, "published": "2020-01-27T21:57:25", "type": "ibm", "title": "Security Bulletin: A Security Vulnerability Has Been Identified In WebSphere Application Server shipped with IBM Tivoli Access Manager for e-business (CVE-2019-10086)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10086"], "modified": "2020-01-27T21:57:25", "id": "2F2115F5724B651AC6B9F0B28265F93BC7C9AB2AC6ADC0181AFF86004B79A417", "href": "https://www.ibm.com/support/pages/node/1284040", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-24T01:39:10", "description": "## Summary\n\nIBM WebSphere Application Server is shipped as a component of IBM Case Manager. Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nRefer to the security bulletins(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\nPrincipal Product and Versions\n\n| Affected Supporting Product and Versions \n---|--- \n \nIBM Case Manager 5.1.1\n\nIBM Case Manager 5.2.0 \nIBM Case Manager 5.2.1 \nIBM Case Manager 5.3.0 \nIBM Case Manager 5.3.1 \nIBM Case Manager 5.3.2 \nIBM Case Manager 5.3.3\n\n| \n\nIBM WebSphere Application Server 7.0\n\nIBM WebSphere Application Server 8.0\n\nIBM WebSphere Application Server 8.5 \nIBM WebSphere Application Server 9.0 \n \n \n\n\n## Remediation/Fixes\n\nPlease consult the security bulletin [Security Bulletin: WebSphere Application Server is vulnerable to Apache Commons Beanutils (CVE-2019-10086)](<https://www.ibm.com/support/pages/node/1115085> \"Security Bulletin: WebSphere Application Server is vulnerable to Apache Commons Beanutils \$CVE-2019-10086\$\" ) for vulnerability details and information about fixes.\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 7.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.4}, "published": "2019-12-20T08:47:33", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Case Manager (CVE-2019-10086)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10086"], "modified": "2019-12-20T08:47:33", "id": "D5FC186AFDC475BF1011609D51599D9F4054E10263C52218648C49E2D757DF13", "href": "https://www.ibm.com/support/pages/node/1120173", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-09-01T17:55:02", "description": "## Abstract\n\nThis Fix Readme includes instructions to upgrading the Apache Commons Beanutils jar to v1.9.4 for Atlas eDiscovery Process Management(6.0.1.x and 6.0.2.x versions)\n\n## Content\n\n**PSIRT details**: PRID: PVR0203016, Advisory ADV0020809 - Apache Commons Beanutils Vulnerability \nCVEID: CVE-2019-10086 \nCVSS Base Score: 5.3\n\n \n**Description**: Apache Commons Beanutils may allow a remote attacker to gain unauthorized access to the system, due to a failure to suppress the class property in bean introspection by default. An attacker could exploit this vulnerability to gain unauthorized access to the classloader.\n\nFor more details on the security fix, please refer to the below link:\n\n<https://www.ibm.com/support/pages/node/5693133>\n\n \n**Fix**: \nThis fix is applicable for IBM Policy Atlas Suite version 6.0.1.x and 6.0.2.x \nThe commons-beanutils.jar must be upgraded from v1.9.2 to v1.9.4 in Policy Atlas and Atlas Extensions applications. For this ear files must be expanded before replacing the jar file and then compressed and deployed. \n\n \nTo apply the fix for Policy Atlas application, follow the steps mentioned below:\n\n 1. Backup the ear PolicyAtlas.ear.\n 2. Extract the ear file to PolicyAtlas folder.\n 3. Extract PolicyAtlas\\web.war to web folder.\n 4. Navigate to the PolicyAtlas\\web\\WEB-INF\\lib folder. \n 5. Replace the commons-beanutils.jar file with the one provided at the end of this document. \n 6. Compress the contents of the PolicyAtlas\\web folder and name it as web.war.\n 7. Compress the META-INF and web.war files.\n 8. Rename the zip file as PolicyAtlas.ear.\n 9. Deploy the Ear file.\n\n \nTo apply the fix for Atlas Extensions application, follow the steps mentioned below:\n\n 1. Backup the AtlasExtensions.ear file.\n 2. Extract the ear file to AtlasExtension folder.\n 3. Extract AtlasExtensions\\AtlasExtensions.war to AtlasExtensions folder.\n 4. Navigate to the AtlasExtensions\\AtlasExtensions\\WEB-INF\\lib folder.\n 5. Replace the commons-beanutils.jar file with the one provided at the end of this document. \n 6. Compress the contents of the AtlasExtensions\\AtlasExtensions folder and name it as AtlasExtensions.war.\n 7. Compress the META-INF and AtlasExtensions.war files.\n 8. Rename the zip file as AtlasExtensions.ear.\n 9. Deploy the Ear file.\n\n**Attachment: **Use this Apache Commons Beanutils jar\n\ncommons-beanutils.jar\n\n[{\"Line of Business\":{\"code\":\"\",\"label\":\"\"},\"Business Unit\":{\"code\":\"BU053\",\"label\":\"Cloud & Data Platform\"},\"Product\":{\"code\":\"SSXPJK\",\"label\":\"Atlas Policy Suite\"},\"ARM Category\":[],\"Platform\":[{\"code\":\"PF025\",\"label\":\"Platform Independent\"}],\"Version\":\"All Version(s)\"}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 7.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.4}, "published": "2020-09-28T07:57:33", "type": "ibm", "title": "Security Bulletin: Atlas eDiscovery Process Management(6.0.1.x and 6.0.2.x versions) is affected by a vulnerable Apache Commons Beanutils in WebSphere Application Server", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10086"], "modified": "2020-09-28T07:57:33", "id": "A0C17B7FA23DBF1DC4FACFA7A00FFB9DEE0554664F67073C8C966AAD62F6C865", "href": "https://www.ibm.com/support/pages/node/6337453", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-23T21:40:15", "description": "## Summary\n\nFinancial Transaction Manager for Digital Payments (FTM DP) for Multi-Platform has addressed the following vulnerability. A potential vulnerability in the Apache Commons Beanutils module could allow unauthorized access to the classloader.\n\n## Vulnerability Details\n\n**CVEID:** [CVE-2019-10086](<https://vulners.com/cve/CVE-2019-10086>) \n**DESCRIPTION:** Apache Commons Beanutils could allow a remote attacker to gain unauthorized access to the system, caused by the failure to suppresses the class property in bean introspection by default. An attacker could exploit this vulnerability to gain unauthorized access to the classloader. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/166353> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)\n\n## Affected Products and Versions\n\nFTM DP v3.2.2.0 - v3.2.2.1\n\n## Remediation/Fixes\n\n_Product_\n\n| \n\n_VRMF_\n\n| \n\n_APAR_\n\n| \n\n_Remediation/First Fix_ \n \n---|---|---|--- \nFTM DP | 3.2.2.0 - 3.2.2.1 | PH16867 | [3.2.2.1-FTM-DP-MP-iFix0002](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=Financial%2BOperations&product=ibm/Other+software/Financial+Transaction+Manager&release=All&platform=All&function=fixId&fixids=3.2.2.1-FTM-DP-MP-iFix0002&includeSupersedes=0&source=fc>) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 7.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.4}, "published": "2020-05-04T19:05:04", "type": "ibm", "title": "Security Bulletin: Financial Transaction Manager for Digital Payments is affected by a potential validation vulnerability (CVE-2019-10086)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10086"], "modified": "2020-05-04T19:05:04", "id": "7AABFFD7EDE8A56FF3E63014903A8533BF0F07389F0D81F452A4D9AFF5CEB90B", "href": "https://www.ibm.com/support/pages/node/1073862", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-24T01:40:26", "description": "## Summary\n\nIBM Content Navigator has addressed the following vulnerability.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2019-10086](<https://vulners.com/cve/CVE-2019-10086>) \n** DESCRIPTION: **In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for an attacker to access the classloader via the class property available on all Java objects. We, however were not using this by default characteristic of the PropertyUtilsBean. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/166353](<https://exchange.xforce.ibmcloud.com/vulnerabilities/166353>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM Content Navigator| 3.0CD \n \n## Remediation/Fixes\n\nProduct| VMRF| Remediation / First Fix \n---|---|--- \nIBM Content Navigator| 3.0 Continuous Delivery| 3.0.5. IF7 and above, 3.0.6 IF 3 and above \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 7.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.4}, "published": "2019-10-30T18:13:21", "type": "ibm", "title": "Security Bulletin: IBM Content Navigator is affected by a vulnerability in Apache Commons Beanutils (CVE-2019-10086)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10086"], "modified": "2019-10-30T18:13:21", "id": "9BBB794BF1DCF8660F8460268754D1A7E827EF26EEF07D631316C9EF5FC3CBDD", "href": "https://www.ibm.com/support/pages/node/1101321", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-24T05:43:27", "description": "## Summary\n\nThere is a vulnerability in Apache Commons Beanutils that is used by IBM TNPM Wireline . This has been addressed. \n\n## Vulnerability Details\n\n** CVEID: **[CVE-2019-10086](<https://vulners.com/cve/CVE-2019-10086>) \n** DESCRIPTION: **Apache Commons Beanutils could allow a remote attacker to gain unauthorized access to the system, caused by the failure to suppresses the class property in bean introspection by default. An attacker could exploit this vulnerability to gain unauthorized access to the classloader. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/166353](<https://exchange.xforce.ibmcloud.com/vulnerabilities/166353>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nTNPM| 1.4.0 \nTNPM| 1.4.1 \nTNPM| 1.4.2 \nTNPM| 1.4.4 \nTNPM| 1.4.3 \n \n\n\n## Remediation/Fixes\n\n * **For TNPM Wireline 1.4.0**** **** **\nApply TNPM Wireline DataView interim fix [IF0066 ](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FTivoli%2FNetcool+Performance+Manager&fixids=1.4.0.0-TIV-TNPM-IF0066&source=SAR> \"IF0066\" )or later\n\n * **For TNPM Wireline 1.4.1**** **\n\nApply TNPM Wireline DataView interim fix [IF0034](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FTivoli%2FNetcool+Performance+Manager&fixids=1.4.1.0-TIV-TNPM-IF0034&source=SAR> \"IF0034\" ) or later \n\n\n * **For TNPM Wireline 1.4.2**\n\n** **Apply TNPM Wireline DataView interim fix [IF0025](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FTivoli%2FNetcool+Performance+Manager&fixids=1.4.2.0-TIV-TNPM-IF0025&source=SAR> \"IF0025\" ) or later\n\n * **For TNPM Wireline 1.4.3**\n\n** **Apply TNPM Wireline DataView interim fix [IF0018](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FTivoli%2FNetcool+Performance+Manager&fixids=1.4.3.0-TIV-TNPM-IF0018&source=SAR> \"IF0018\" ) or later\n\n * **For TNPM Wireline 1.4.4**\n\nApply TNPM Wireline DataView interim fix [IF0007 ](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FTivoli%2FNetcool+Performance+Manager&fixids=1.4.4.0-TIV-TNPM-IF0007&source=SAR> \"IF0007\" )or later \n\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 7.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.4}, "published": "2020-03-13T05:55:47", "type": "ibm", "title": "Security Bulletin: IBM TNPM Wireline is vulnerable to Apache Commons Beanutils (CVE-2019-10086)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10086"], "modified": "2020-03-13T05:55:47", "id": "A07C9B7C7D5952E2BBD4C0874BEC859D77892E662D993098C91BDFD5CD4FF6ED", "href": "https://www.ibm.com/support/pages/node/5737173", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-24T05:44:23", "description": "## Summary\n\nWebSphere Application Server is shipped with IBM Tivoli System Automation Application Manager. Information about a security vulnerability affecting WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nRefer to the security bulletins(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM Tivoli System Automation Application Manager| 4.1 \n \n\n\n## Remediation/Fixes\n\nRefer to the following security bulletins for vulnerability details and information about fixes addressed by WebSphere Application Server which is shipped with IBM Tivoli System Automation Application Manager. \n\nPrincipal Product and Version(s)| Affected Supporting Product and Version| Affected Supporting Product Security Bulletin \n---|---|--- \nIBM Tivoli System Automation Application Manager 4.1| WebSphere Application Server 8.5| \n\n# [Security Bulletin: WebSphere Application Server is vulnerable to Apache Commons Beanutils (CVE-2019-10086)\u200b\u200b\u200b\u200b\u200b\u200b\u200b](<https://www.ibm.com/support/pages/node/1115085> \"Security Bulletin: WebSphere Application Server is vulnerable to Apache Commons Beanutils \$CVE-2019-10086\$\u200b\u200b\u200b\u200b\u200b\u200b\u200b\" ) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 7.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.4}, "published": "2020-02-25T08:59:00", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in WebSphere Application Server shipped with IBM Tivoli System Automation Application Manager (CVE-2019-10086)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10086"], "modified": "2020-02-25T08:59:00", "id": "4F83742D4D9E3F03A6481F27A21969D4333962D309ACFDC2D174BF09D63F0F8A", "href": "https://www.ibm.com/support/pages/node/3407751", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-27T17:46:52", "description": "## Summary\n\nIBM Spectrum Protect Plus is affected by a vulnerability in Apache Commons Beanutils that can result in a remote attacker gaining unauthorized access to the system. \n\n## Vulnerability Details\n\n** CVEID: **[CVE-2019-10086](<https://vulners.com/cve/CVE-2019-10086>) \n** DESCRIPTION: **Apache Commons Beanutils could allow a remote attacker to gain unauthorized access to the system, caused by the failure to suppresses the class property in bean introspection by default. An attacker could exploit this vulnerability to gain unauthorized access to the classloader. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/166353](<https://exchange.xforce.ibmcloud.com/vulnerabilities/166353>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)\n\n## Affected Products and Versions\n\n**Affected Product(s)**| **Version(s)** \n---|--- \nIBM Spectrum Protect Plus| 10.1.0-10.1.5 \n \n## Remediation/Fixes\n\n**Spectrum Protect** \n**Plus Release**| **First Fixing** \n**VRM Level**| **Platform**| **Link to Fix** \n---|---|---|--- \n10.1| 10.1.5.2199| Linux| <https://www.ibm.com/support/pages/node/1135035> \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 7.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.4}, "published": "2020-03-30T22:19:50", "type": "ibm", "title": "Security Bulletin: Vulnerability in Apache Commons Beanutils affects IBM Spectrum Protect Plus (CVE-2019-10086)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10086"], "modified": "2020-03-30T22:19:50", "id": "40F7CBCFB58A3B19B3D79CA6DAD7B6DC2BDC641FF8B170D51B354FDEBE613E4B", "href": "https://www.ibm.com/support/pages/node/6114232", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-27T17:47:22", "description": "## Summary\n\nIBM Tivoli Netcool Impact has addressed the following Apache Commons Beanutils vulnerability.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2019-10086](<https://vulners.com/cve/CVE-2019-10086>) \n** DESCRIPTION: **Apache Commons Beanutils could allow a remote attacker to gain unauthorized access to the system, caused by the failure to suppresses the class property in bean introspection by default. An attacker could exploit this vulnerability to gain unauthorized access to the classloader. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/166353](<https://exchange.xforce.ibmcloud.com/vulnerabilities/166353>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM Tivoli Netcool Impact 7.1.0| 7.1.0.0~7.1.0.17 \n \n\n\n## Remediation/Fixes\n\n| _VRMF_| _APAR_| _Remediation/First Fix_ \n---|---|---|--- \nIBM Tivoli Netcool Impact 7.1.0| _7.1.0.18_| _IJ20163_| [IBM Tivoli Netcool Impact 7.1.0 FP18](<https://www.ibm.com/support/pages/node/1288570> \"\" ) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 7.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.4}, "published": "2020-03-23T12:41:17", "type": "ibm", "title": "Security Bulletin: IBM Tivoli Netcool Impact is affected by an Apache Commons Beanutils vulnerability (CVE-2019-10086)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10086"], "modified": "2020-03-23T12:41:17", "id": "E5BBCEF719E615994F1B258C759E10E101CC12EE74BBCBA1AFE726D5AFF29509", "href": "https://www.ibm.com/support/pages/node/6115930", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-24T05:43:37", "description": "## Summary\n\nThere is a vulnerability in Apache Commons Beanutils that is used by WebSphere Application Server. This has been addressed. \n\n## Vulnerability Details\n\nRefer to the security bulletins(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nJazz for Service Management| 1.1.3 - 1.1.3.5 \n \n\n\n## Remediation/Fixes\n\n**Principal Product and Version(s)**| **Affected Supporting Product and Version**| **Affected Supporting Product Security Bulletin** \n---|---|--- \nJazz for Service Management version 1.1.3 - 1.1.3.5| Websphere Application Server Full Profile 8.5.5 | [Security Bulletin: WebSphere Application Server is vulnerable to Apache Commons Beanutils (CVE-2019-10086)](<https://www.ibm.com/support/pages/node/1115085> \"Security Bulletin: WebSphere Application Server is vulnerable to Apache Commons Beanutils \$CVE-2019-10086\$\" ) \n \n## Workarounds and Mitigations\n\nPlease refer to WAS interim fix.\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 7.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.4}, "published": "2020-03-09T17:49:22", "type": "ibm", "title": "Security Bulletin: WebSphere Application Server shipped with Jazz for Service Management (JazzSM) is vulnerable to Apache Commons Beanutils (CVE-2019-10086)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10086"], "modified": "2020-03-09T17:49:22", "id": "10FBEBB14A30BC73B75E0DF3E1AC14E07BC218A2AAE122217F23444AA2EEB55D", "href": "https://www.ibm.com/support/pages/node/5694309", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-24T05:43:43", "description": "## Summary\n\nIn Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for an attacker to access the classloader via the class property available on all Java objects. We, however were not using this by default characteristic of the PropertyUtilsBean.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2019-10086](<https://vulners.com/cve/CVE-2019-10086>) \n** DESCRIPTION: **Apache Commons Beanutils could allow a remote attacker to gain unauthorized access to the system, caused by the failure to suppresses the class property in bean introspection by default. An attacker could exploit this vulnerability to gain unauthorized access to the classloader. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/166353](<https://exchange.xforce.ibmcloud.com/vulnerabilities/166353>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nAtlas eDiscovery Process Management | 6.0.x \n \n\n\n## Remediation/Fixes\n\n**_ Product_**\n\n| \n\n**_ VRMF_**\n\n| \n\n**_ Remediation/First Fix_** \n \n---|---|--- \n \nAtlas eDiscovery Process Management\n\n| \n\n6.0.x\n\n| \n\nApply Fix Pack **6.0.3.9**, available from [Fix Central](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=Atlas%20eDiscovery&product=ibm/Information+Management/Atlas+eDiscovery+Process+Management&release=6.0.3.9&platform=All&function=all>) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 7.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.4}, "published": "2020-03-06T06:28:13", "type": "ibm", "title": "Security Bulletin: Atlas eDiscovery Process Management is affected by a vulnerable to Apache Commons Beanutils in WebSphere Application Server", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10086"], "modified": "2020-03-06T06:28:13", "id": "41BB6A57FAD3A6133AC798B9A434DFE0BA0E9AC64CD3258AAECCEAD5451AF287", "href": "https://www.ibm.com/support/pages/node/5693133", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-24T05:45:29", "description": "## Summary\n\nThere is a vulnerability in Apache Commons Beanutils that is used by WebSphere Application Server in IBM Cloud. \n\n## Vulnerability Details\n\n**CVEID: **[CVE-2019-10086](<https://vulners.com/cve/CVE-2019-10086>) \n**DESCRIPTION: **In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for an attacker to access the classloader via the class property available on all Java objects. We, however were not using this by default characteristic of the PropertyUtilsBean. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/166353](<https://exchange.xforce.ibmcloud.com/vulnerabilities/166353>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)\n\n## Affected Products and Versions\n\nThis vulnerability affect the following versions and releases of WebSphere Application Server and bundling products.\n\n * 9.0\n * 8.5\n\n## Remediation/Fixes\n\nTo patch new and existing service instances, refer to the IBM WebSphere Application Server bulletin listed below \n\n * [WebSphere Application Server is vulnerable to Apache Commons Beanutils (CVE-2019-10086)](<https://www.ibm.com/support/pages/node/1115085> \"WebSphere Application Server is vulnerable to Apache Commons Beanutils \$CVE-2019-10086\$\" )\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 7.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.4}, "published": "2020-02-06T20:02:43", "type": "ibm", "title": "Security Bulletin: WebSphere Application Server is vulnerable to Apache Commons Beanutils in IBM Cloud (CVE-2019-10086)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10086"], "modified": "2020-02-06T20:02:43", "id": "E8E3D041384B3A1C50DFC8E8DD6B7415911290515C88A2C292DAF367F018B0E7", "href": "https://www.ibm.com/support/pages/node/1489029", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-27T21:52:19", "description": "## Summary\n\nApache Commons Beanutils could allow a remote attacker to gain unauthorized access to the system, caused by the failure to suppresses the class property in bean introspection by default. An attacker could exploit this vulnerability to gain unauthorized access to the classloader.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2019-10086](<https://vulners.com/cve/CVE-2019-10086>) \n** DESCRIPTION: **Apache Commons Beanutils could allow a remote attacker to gain unauthorized access to the system, caused by the failure to suppresses the class property in bean introspection by default. An attacker could exploit this vulnerability to gain unauthorized access to the classloader. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/166353](<https://exchange.xforce.ibmcloud.com/vulnerabilities/166353>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nContent Collector for Email| 4.0.0 \nContent Collector for Email| 4.0.1 \n \n\n\n## Remediation/Fixes\n\n**Product**| **VRM**| **Remediation** \n---|---|--- \nContent Collector for Email| 4.0.0, 4.0.1| Use Content Collector for Email 4.0.1.9 [Interim Fix IF006](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FInformation+Management%2FContent+Collector&fixids=4.0.1.9-IBM-ICC-IF006&source=SAR>) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 7.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.4}, "published": "2020-08-06T17:01:19", "type": "ibm", "title": "Security Bulletin: Content Collector for Email is affected by a embedded WebSphere Application Server is vulnerable to Apache Commons beanutils", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10086"], "modified": "2020-08-06T17:01:19", "id": "C22253825FA485019FC06565D7E7D6C4103E0C10B6510212859354833FAEB242", "href": "https://www.ibm.com/support/pages/node/6257133", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-27T21:50:56", "description": "## Summary\n\nThere is a vulnerability in Apache Commons Beanutils that is used by WebSphere Application Server. This has been addressed. \n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nTivoli Common Reporting| 3.1.3 \n \n\n\n## Remediation/Fixes\n\nThe recommended solution is to apply the fix for versions listed as soon as practical. \n\n**Jazz for Service Management Releases \n**| **Remediation** \n---|--- \n1.1.3 - 1.1.3.7| \n\n[Security Bulletin: WebSphere Application Server is vulnerable to Apache Commons Beanutils (CVE-2019-10086)](<https://www.ibm.com/support/pages/node/1115085> \"Security Bulletin: WebSphere Application Server is vulnerable to Apache Commons Beanutils \$CVE-2019-10086\$\" ) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 7.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.4}, "published": "2020-09-15T15:14:57", "type": "ibm", "title": "Security Bulletin: IBM Tivoli Common Reporting: TCR, a part of IBM Jazz for Service Management (JazzSM) is vulnerable to Apache Commons Beanutils (CVE-2019-10086)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10086"], "modified": "2020-09-15T15:14:57", "id": "705D1AA8DC1EFC5A25852EAE8F70114AEDB618E07145B676E2B502DEDBEBA92D", "href": "https://www.ibm.com/support/pages/node/6333019", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-24T01:40:44", "description": "## Summary\n\nFix is available for vulnerability in Apache Commons Beanutils affecting Tivoli Netcool/OMNIbus WebGUI (CVE-2019-10086).\n\n## Vulnerability Details\n\n**CVEID:** [CVE-2019-10086](<https://vulners.com/cve/CVE-2019-10086>) \n**DESCRIPTION:** Apache Commons Beanutils could allow a remote attacker to gain unauthorized access to the system, caused by the failure to suppresses the class property in bean introspection by default. An attacker could exploit this vulnerability to gain unauthorized access to the classloader. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/166353> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)\n\n## Affected Products and Versions\n\nTivoli Netcool/OMNIbus WebGUI 8.1.0\n\n## Remediation/Fixes\n\nProduct | VRMF | APAR | Remediation/First Fix \n---|---|---|--- \nTivoli Netcool/OMNIbus WebGUI | 8.1.0 | IJ18864 | Apply [Fix Pack 17](<https://www.ibm.com/support/pages/node/958815>) \n \nFor unsupported versions IBM recommends upgrading to a fixed, supported version of the product.\n\n## Workarounds and Mitigations\n\nUpgrade to [WebGUI 8.1.0 Fix Pack 17](<https://www.ibm.com/support/pages/node/958815>)\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 7.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.4}, "published": "2019-10-23T02:41:56", "type": "ibm", "title": "Security Bulletin: Vulnerability in Apache Commons Beanutils affect Tivoli Netcool/OMNIbus WebGUI (CVE-2019-10086)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10086"], "modified": "2019-10-23T02:41:56", "id": "4D266A154A3DA31DCA059F3C44F85045C1027D42EEAD68DA8098C2A3E0994AF2", "href": "https://www.ibm.com/support/pages/node/1096114", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-24T05:43:45", "description": "## Summary\n\nIBM C\u00faram Social Program Management uses the Apache Commons Beanutils library, for which there is a publicly known vulnerability. The vulnerability could allow a remote attacker to gain unauthorized access to the system, caused by the failure to suppresses the class property in bean introspection by default. An attacker could exploit this vulnerability to gain unauthorized access to the classloader.\n\n## Vulnerability Details\n\n**CVEID: **[CVE-2019-10086](<https://vulners.com/cve/CVE-2019-10086>) \n**DESCRIPTION: **Apache Commons Beanutils could allow a remote attacker to gain unauthorized access to the system, caused by the failure to suppresses the class property in bean introspection by default. An attacker could exploit this vulnerability to gain unauthorized access to the classloader. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/166353](<https://exchange.xforce.ibmcloud.com/vulnerabilities/166353>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)\n\n## Affected Products and Versions\n\nAffected Product(s) | Version(s) \n---|--- \nCuram SPM | 7.0.5.0 - 7.0.8 \nCuram SPM | 7.0.0.0 - 7.0.4.4 \nCuram SPM | 6.2.0.0 - 6.2.0.6 \nCuram SPM | 6.1.0.0 - 6.1.1.6 \nCuram SPM | 6.0.5.0 - 6.0.5.10 \n \n## Remediation/Fixes\n\n_Product_ | _VRMF_ | _Remediation/First Fix_ \n---|---|--- \nC\u00faram SPM | \n\n7.0.9\n\n| Visit IBM Fix Central and upgrade to [7.0.9](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Smarter%20Cities&product=ibm/Other+software/Curam+Social+Program+Management&release=7.0.9.0_RP&platform=All&function=all>) or a subsequent 7.0.9 release. \nC\u00faram SPM | \n\n7.0.4.4\n\n| Visit IBM Fix Central and upgrade to [7.0.4.4_iFix1](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Smarter%20Cities&product=ibm/Other+software/Curam+Social+Program+Management&release=7.0.4.4&platform=All&function=all>) or a subsequent 7.0.4.4 release. \nC\u00faram SPM | \n\n6.2.0.6\n\n| Visit IBM Fix Central and upgrade to [6.2.0.6_iFix4](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=Smarter%20Cities&product=ibm/Other+software/Curam+Social+Program+Management&release=6.2.0.6&platform=All&function=all> \"6.2.0.6_iFix4\" ) or a subsequent 6.2.0.6 release. \nC\u00faram SPM | \n\n6.1.1.6\n\n| Visit IBM Fix Central and upgrade to [6.1.1.6_iFix4](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=Smarter%20Cities&product=ibm/Other+software/Curam+Social+Program+Management&release=6.1.1.6&platform=All&function=all> \"6.1.1.6_iFix4\" ) or a subsequent 6.1.1.6 release. \nC\u00faram SPM | 6.0.5.10 | Visit IBM Fix Central and upgrade to [6.0.5.10_iFix5](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=Smarter%20Cities&product=ibm/Other+software/Curam+Social+Program+Management&release=6.0.5.10&platform=All&function=all> \"6.0.5.10_iFix5\" ) or a subsequent 6.0.5.10 release. \n \n## Workarounds and Mitigations\n\nFor information about all other versions, contact IBM C\u00faram Social Program Management customer support.\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 7.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.4}, "published": "2020-03-05T12:02:12", "type": "ibm", "title": "Security Bulletin: Vulnerability in Apache Commons Beanutils library affect IBM C\u00faram Social Program Management (CVE-2019-10086)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10086"], "modified": "2020-03-05T12:02:12", "id": "891E5F0424A107621BE648D5F1576C607F7834B3BC114E0F945E5010BA70A9F3", "href": "https://www.ibm.com/support/pages/node/5691476", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-23T21:40:10", "description": "## Summary\n\nIBM Financial Transaction Manager for Corporate Payment Services (FTM CPS) for Multi-Platform has addressed the following vulnerability. A potential vulnerability in the Apache Commons Beanutils module could allow unauthorized access to the classloader.\n\n## Vulnerability Details\n\n**CVEID:** [CVE-2019-10086](<https://vulners.com/cve/CVE-2019-10086>) \n**DESCRIPTION:** Apache Commons Beanutils could allow a remote attacker to gain unauthorized access to the system, caused by the failure to suppresses the class property in bean introspection by default. An attacker could exploit this vulnerability to gain unauthorized access to the classloader. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/166353> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)\n\n## Affected Products and Versions\n\nFTM CPS v2.1.1.0 - 2.1.1.4\n\n## Remediation/Fixes\n\n_Product_\n\n| \n\n_VRMF_\n\n| \n\n_APAR_\n\n| \n\n_Remediation/First Fix_ \n \n---|---|---|--- \n \nFTM CPS\n\n| \n\n2.1.1.0 - 2.1.1.4\n\n| \n\nPH16878\n\n| \n\n[2.1.1-FTM-CPS-MP-FP0005](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=Financial%2BOperations&product=ibm/Other+software/Financial+Transaction+Manager&release=All&platform=All&function=fixId&fixids=2.1.1-FTM-CPS-MP-fp0005&includeSupersedes=0&source=fc>) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 7.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.4}, "published": "2020-07-06T13:05:30", "type": "ibm", "title": "Security Bulletin: Financial Transaction Manager for Corporate Payment Services v2.1.1 is affected by a validation vulnerability (CVE-2019-10086)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10086"], "modified": "2020-07-06T13:05:30", "id": "7C687A5C4DA5F147CCB651C24229AA31D311EBB13BB2DF3508D7A6085EF3DD7D", "href": "https://www.ibm.com/support/pages/node/1073874", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-24T01:37:31", "description": "## Summary\n\nA vulnerability in Apache Commons BeanUtils that is used by IBM InfoSphere Information Server was addressed. \n\n## Vulnerability Details\n\n**CVEID:** _[CVE-2019-10086](<https://vulners.com/cve/CVE-2019-10086>)_ \n**DESCRIPTION:** Apache Commons Beanutils could allow a remote attacker to gain unauthorized access to the system, caused by the failure to suppresses the class property in bean introspection by default. An attacker could exploit this vulnerability to gain unauthorized access to the classloader. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/166353>_ for more information \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) \n\n\n## Affected Products and Versions\n\nThe following product, running on all supported platforms, is affected: \nIBM InfoSphere Information Server : versions 11.3, 11.5, 11.7 \nIBM InfoSphere Information Server on Cloud : versions 11.5, 11.7\n\n## Remediation/Fixes\n\n_Product_\n\n| _VRMF_ | _APAR_ | _Remediation/First Fix_ \n---|---|---|--- \nInfoSphere Information Server, Information Server on Cloud | 11.7 | _[JR61754](<http://www.ibm.com/support/docview.wss?uid=swg1JR61754>)_ | \\--Apply InfoSphere Information Server version [_11.7.1.0_](<https://www.ibm.com/support/docview.wss?uid=ibm10878310>) \n\\--Apply InfoSphere Information Server _[11.7.1.1](<https://www.ibm.com/support/pages/node/6209196>)_ \n \n \nInfoSphere Information Server, Information Server on Cloud | 11.5 | _[JR61754](<http://www.ibm.com/support/docview.wss?uid=swg1JR61754>)_ | \\--Apply InfoSphere Information Server version [_11.5.0.2_](<http://www.ibm.com/support/docview.wss?uid=swg24043666>) \n\\--Apply InfoSphere Information Server [_11.5.0.2 Service Pack 6_](<https://www-01.ibm.com/support/docview.wss?uid=ibm10957521>) \n\\--Apply InfoSphere _[Information Server Framework Security patch](<http://www.ibm.com/support/fixcentral/swg/quickorder?&product=ibm/Information+Management/IBM+InfoSphere+Information+Server&function=fixId&fixids=is11502_isf_ru13_services_engine_client_multi>)_ \nInfoSphere Information Server | 11.3 | _[JR61754](<http://www.ibm.com/support/docview.wss?uid=swg1JR61754>)_ | \\--Upgrade to a new release where the issue has been addressed \n \n**Contact Technical Support:**\n\nIn the United States and Canada dial **1-800-IBM-SERV** \nView the support [contacts for other countries](<http://www.ibm.com/planetwide/>) outside of the United States. \nElectronically [open a Service Request](<http://www.ibm.com/software/support/probsub.html>) with Information Server Technical Support.\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 7.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.4}, "published": "2020-05-18T23:48:46", "type": "ibm", "title": "Security Bulletin: IBM InfoSphere Information Server is affected by a vulnerability in Apache Commons BeanUtils CVE-2019-10086", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10086"], "modified": "2020-05-18T23:48:46", "id": "39C354245E58DEA5508935346917841B7B505E810D13B316B0E6615AD25C04D2", "href": "https://www.ibm.com/support/pages/node/1116699", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-24T01:39:12", "description": "## Summary\n\nWebSphere Application Server is shipped as a component of WebSphere Service Registry and Repository. Information about a security vulnerability affecting WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nRefer to the security bulletins(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\nPrincipal Product and Version(s)\n\n| \n\nAffected Supporting Product and Version \n \n---|--- \n \nWebSphere Service Registry and Repository V8.5\n\n| \n\nWebSphere Application Server V8.5.5 \n \nWebSphere Service Registry and Repository V8.0\n\n| \n\nWebSphere Application Server V8.0 \n \n \n\n\n## Remediation/Fixes\n\nRefer to the following security bulletin for vulnerability details and information about fixes: \n\n * [Security Bulletin: WebSphere Application Server is vulnerable to Apache Commons Beanutils (CVE-2019-10086)](<https://www.ibm.com/support/pages/node/1115085> \"Security Bulletin: WebSphere Application Server is vulnerable to Apache Commons Beanutils \$CVE-2019-10086\$\" )\n\nNote the following Flash before upgrading WebSphere Application Server:\n\n * [WebSphere Service Registry and Repository: Read First before upgrading to WebSphere Application Server V8.5.5 Fix Pack 14](<http://www.ibm.com/support/docview.wss?uid=ibm10738013>)\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 7.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.4}, "published": "2019-12-20T08:47:33", "type": "ibm", "title": "Security Bulletin: Security vulnerability has been identified in WebSphere Application Server shipped with WebSphere Service Registry and Repository (CVE-2019-10086)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10086"], "modified": "2019-12-20T08:47:33", "id": "766578EB2C7BE8A81F504B4989C22C31CF802D03B94649D36D4712AB13F788F0", "href": "https://www.ibm.com/support/pages/node/1120095", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-24T01:40:06", "description": "## Summary\n\nIBM WebSphere Application Server is shipped with IBM Security Access Manager for Enterprise Single Sign-On. Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\nIBM Security Access Manager for Enterprise Single Sign-On 8.2.0, 8.2.1, 8.2.2\n\n## Remediation/Fixes\n\nRefer to the following security bulletins for vulnerability details and information about fixes addressed by IBM WebSphere Application Server which is shipped with IBM Security Access Manager for Enterprise Single Sign-On.\n\n**Principal Product and Version(s)** | **Affected Supporting Product and Version** | **Affected Supporting Product Security Bulletin** \n---|---|--- \nIBM Security Access Manager for Enterprise Single Sign-On 8.2.0 | IBM WebSphere Application Server 7.0 | [Security Bulletin: WebSphere Application Server is vulnerable to Apache Commons Beanutils (CVE-2019-10086)](<https://www.ibm.com/support/pages/node/1115085>) \nIBM Security Access Manager for Enterprise Single Sign-On 8.2.1 | IBM WebSphere Application Server 7.0, 8.5 | [Security Bulletin: WebSphere Application Server is vulnerable to Apache Commons Beanutils (CVE-2019-10086)](<https://www.ibm.com/support/pages/node/1115085>) \nIBM Security Access Manager for Enterprise Single Sign-On 8.2.2 | IBM WebSphere Application Server 8.5 | [Security Bulletin: WebSphere Application Server is vulnerable to Apache Commons Beanutils (CVE-2019-10086)](<https://www.ibm.com/support/pages/node/1115085>) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 7.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.4}, "published": "2019-12-02T16:31:24", "type": "ibm", "title": "Security Bulletin: A Security Vulnerability Has Been Identified In IBM WebSphere Application Server shipped with IBM Security Access Manager for Enterprise Single Sign-On (CVE-2019-10086)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10086"], "modified": "2019-12-02T16:31:24", "id": "3E90D8B117724A689CF205EB148C972A5AC679705260655DC0A260183EE9C99E", "href": "https://www.ibm.com/support/pages/node/1116183", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-27T21:54:36", "description": "## Summary\n\nWebsphere Application Server is shipped with Predictive Customer Intelligence. Information about a security vulnerability affecting Websphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes\n\n## Affected Products and Versions\n\nPredictive Customer Intelligence versions 1.0, 1.0.1, 1.1, 1.1.1, 1.1.2\n\n \n\n\n## Remediation/Fixes\n\nPrincipal Product and Version(s) | Affected Supporting Product and Version| Affected Supporting Product Security Bulletin \n---|---|--- \nPredictive Customer Intelligence 1.0 and 1.0.1| Websphere Application Server 8.5.5| [Security Bulletin: WebSphere Application Server is vulnerable to Apache Commons Beanutils (CVE-2019-10086)](<https://www.ibm.com/support/pages/security-bulletin-websphere-application-server-vulnerable-apache-commons-beanutils-cve-2019-10086-0> \"Security Bulletin: WebSphere Application Server is vulnerable to Apache Commons Beanutils \$CVE-2019-10086\$\" ) \nPredictive Customer Intelligence 1.1 and 1.1.1| Websphere Application Server 8.5.5.6| [Security Bulletin: WebSphere Application Server is vulnerable to Apache Commons Beanutils (CVE-2019-10086)](<https://www.ibm.com/support/pages/security-bulletin-websphere-application-server-vulnerable-apache-commons-beanutils-cve-2019-10086-0> \"Security Bulletin: WebSphere Application Server is vulnerable to Apache Commons Beanutils \$CVE-2019-10086\$\" ) \nPredictive Customer Intelligence 1.1.2| Websphere Application Server 9.0.0.4| [Security Bulletin: WebSphere Application Server is vulnerable to Apache Commons Beanutils (CVE-2019-10086)](<https://www.ibm.com/support/pages/security-bulletin-websphere-application-server-vulnerable-apache-commons-beanutils-cve-2019-10086-0> \"Security Bulletin: WebSphere Application Server is vulnerable to Apache Commons Beanutils \$CVE-2019-10086\$\" ) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 7.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.4}, "published": "2020-06-23T19:24:17", "type": "ibm", "title": "Security Bulletin: A Security Vulnerability has been Identified in Websphere Application Server Shipped with Predictive Customer Intelligence (CVE-2019-10086)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10086"], "modified": "2020-06-23T19:24:17", "id": "037DC92C3964B9BE83FE00549FB0CE6C44ACB2D76406400ED57CA4D310EF3538", "href": "https://www.ibm.com/support/pages/node/6237856", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-24T05:46:38", "description": "## Summary\n\nWebSphere Application Server is shipped with IBM Tivoli Federated Identity Manager. Information about a security vulnerability affecting WebSphere Application Server has been published in a security bulletin. \n\n## Vulnerability Details\n\nRefer to the security bulletins(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\nAffected Product(s) | Version(s) \n---|--- \nIBM Tivoli Federated Identity Manager | All \n \n## Remediation/Fixes\n\nPrincipal Product and Version(s) | Affected Supporting Product and Version | Affected Supporting Product Security Bulletin \n---|---|--- \nIBM Tivoli Federated Identity Manager 6.2.X | IBM Websphere Server V 7.X | [WebSphere Application Server is vulnerable to Apache Commons Beanutils (CVE-2019-10086)](<https://www.ibm.com/support/pages/node/1115085> \"WebSphere Application Server is vulnerable to Apache Commons Beanutils \$CVE-2019-10086\$\" ) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 7.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.4}, "published": "2020-01-28T18:55:36", "type": "ibm", "title": "Security Bulletin: A Security Vulnerability Has Been Identified In WebSphere Application Server shipped with IBM Tivoli Federated Identity Manager (CVE-2019-10086)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10086"], "modified": "2020-01-28T18:55:36", "id": "A1EF9298714E6ED876FC447E879AE4AEF24B3BAE418A5BF1CCD587D6F1B0DF70", "href": "https://www.ibm.com/support/pages/node/1284376", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-27T21:52:16", "description": "## Summary\n\nWebSphere Application Server is shipped as a component of IBM Security Key Lifecycle Manager (SKLM). Information about a security vulnerability affecting WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\nAffected Product(s) | Version(s) \n---|--- \nIBM Security Key Lifecycle Manager | 4.0 \nIBM Security Key Lifecycle Manager | 3.0.1 \nIBM Security Key Lifecycle Manager | 3.0 \nIBM Security Key Lifecycle Manager | 2.7 \n \n## Remediation/Fixes\n\nPlease consult the [Security Bulletin: WebSphere Application Server is vulnerable to Apache Commons Beanutils (CVE-2019-10086)](<https://www.ibm.com/support/pages/node/1115085> \"Security Bulletin: WebSphere Application Server is vulnerable to Apache Commons Beanutils \$CVE-2019-10086\$\" ) for vulnerability details and information about fixes.\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 7.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.4}, "published": "2020-08-06T18:27:22", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in WebSphere Application Server shipped with IBM Security Key Lifecycle Manager (SKLM) (CVE-2019-10086)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10086"], "modified": "2020-08-06T18:27:22", "id": "6BA96613CB9284A12C5C7BA5B1AF346C52C407C3784639F8A63CA5F6E90563C2", "href": "https://www.ibm.com/support/pages/node/6257153", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-27T17:47:04", "description": "## Summary\n\nIBM WebSphere Application Server is shipped with IBM Tivoli Netcool Configuration Manager version 6.4.1; IBM WebSphere Application Server is a required product for IBM Tivoli Netcool Configuration Manager version 6.4.2. Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nRefer to the security bulletins(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nITNCM| 6.4.2 \nITNCM| 6.4.1 \n \n\n\n## Remediation/Fixes\n\nAffected Product(s)| Version(s)| Remediation \n---|---|--- \nITNCM| 6.4.2| [WebSphere Application Server is vulnerable to Apache Commons Beanutils](<https://www.ibm.com/support/pages/security-bulletin-websphere-application-server-vulnerable-apache-commons-beanutils-cve-2019-10086-0> \"WebSphere Application Server is vulnerable to Apache Commons Beanutils\" )\n\nPlease refer to section: **For V8.5.0.0 through 8.5.5.16:** \n \nITNCM| 6.4.1| \n\n[WebSphere Application Server is vulnerable to Apache Commons Beanutils](<https://www.ibm.com/support/pages/security-bulletin-websphere-application-server-vulnerable-apache-commons-beanutils-cve-2019-10086-0> \"WebSphere Application Server is vulnerable to Apache Commons Beanutils\" )\n\nPlease refer to section: **For V7.0.0.0 through 7.0.0.45:** \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 7.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.4}, "published": "2020-03-24T12:15:52", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server, which is shipped with, or a required product for, IBM Tivoli Netcool Configuration Manager (CVE-2019-10086)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10086"], "modified": "2020-03-24T12:15:52", "id": "03BD9C6A634D56977256D0EB02550574DC21A677D8E08EEB57FD8C5F206D469F", "href": "https://www.ibm.com/support/pages/node/6116548", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "oraclelinux": [{"lastseen": "2021-11-23T18:27:59", "description": " ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-05-05T00:00:00", "type": "oraclelinux", "title": "pki-core:10.6 and pki-deps:10.6 security, bug fix, and enhancement update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-14540", "CVE-2019-16335", "CVE-2019-16942", "CVE-2019-16943", "CVE-2019-17531"], "modified": "2020-05-05T00:00:00", "id": "ELSA-2020-1644", "href": "http://linux.oracle.com/errata/ELSA-2020-1644.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "almalinux": [{"lastseen": "2023-06-05T14:41:16", "description": "The Public Key Infrastructure (PKI) Core contains fundamental packages required by AlmaLinux Certificate System.\n\nSecurity Fix(es):\n\n* jackson-databind: Serialization gadgets in com.zaxxer.hikari.HikariConfig (CVE-2019-14540)\n\n* jackson-databind: Serialization gadgets in com.zaxxer.hikari.HikariDataSource (CVE-2019-16335)\n\n* jackson-databind: Serialization gadgets in org.apache.commons.dbcp.datasources.* (CVE-2019-16942)\n\n* jackson-databind: Serialization gadgets in com.p6spy.engine.spy.P6DataSource (CVE-2019-16943)\n\n* jackson-databind: Serialization gadgets in org.apache.log4j.receivers.db.* (CVE-2019-17531)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nAdditional Changes:\n\nFor detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-04-28T09:00:20", "type": "almalinux", "title": "Moderate: pki-core:10.6 and pki-deps:10.6 security, bug fix, and enhancement update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-14540", "CVE-2019-16335", "CVE-2019-16942", "CVE-2019-16943", "CVE-2019-17531"], "modified": "2020-04-28T09:00:04", "id": "ALSA-2020:1644", "href": "https://errata.almalinux.org/8/ALSA-2020-1644.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cloudfoundry": [{"lastseen": "2023-06-05T15:05:46", "description": "## Severity\n\nCritical\n\n## Vendor\n\nCloud Foundry Foundation\n\n## Description\n\nCloud Foundry UAA, versions prior to 74.7.0, contain a dependency on a vulnerable version of FasterXML jackson-databind. These issues have the CVEs CVE-2019-17531, CVE-2019-14379, CVE-2019-16942, CVE-2019-14540, CVE-2019-17267, CVE-2019-16335, and CVE-2019-16943.\n\n## Affected Cloud Foundry Products and Versions\n\n * CF Deployment \n * All versions prior to v12.7.0\n * UAA \n * All versions prior to v74.7.0\n\n## Mitigation\n\nUsers of affected products are strongly encouraged to follow the mitigations below. The Cloud Foundry project recommends upgrading the following releases:\n\n * CF Deployment \n * Upgrade All versions to v12.6.0 or greater\n * UAA \n * Upgrade All versions to v74.6.0 or greater\n\n## History\n\n2019-11-06: Initial vulnerability report published.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-11-13T00:00:00", "type": "cloudfoundry", "title": "Various CVEs: UAA consumes vulnerable versions of FasterXML jackson-databind | Cloud Foundry", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-14379", "CVE-2019-14540", "CVE-2019-16335", "CVE-2019-16942", "CVE-2019-16943", "CVE-2019-17267", "CVE-2019-17531"], "modified": "2019-11-13T00:00:00", "id": "CFOUNDRY:DBBC716FD85510861511BDE10DD24963", "href": "https://www.cloudfoundry.org/blog/various-jackson-cves-uaa/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "fedora": [{"lastseen": "2021-07-28T14:46:51", "description": "Project for parent pom for all Jackson components. ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2019-10-12T00:29:49", "type": "fedora", "title": "[SECURITY] Fedora 30 Update: jackson-parent-2.10-1.fc30", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-14540", "CVE-2019-16335", "CVE-2019-16942", "CVE-2019-16943"], "modified": "2019-10-12T00:29:49", "id": "FEDORA:18A7960877B3", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/N2KHDT3IPBKLVBRWQXAKXQXCTFG6W4UX/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-07-28T14:46:51", "description": "Core annotations used for value types, used by Jackson data-binding package. ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2019-10-26T17:30:55", "type": "fedora", "title": "[SECURITY] Fedora 31 Update: jackson-annotations-2.10.0-1.fc31", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-14540", "CVE-2019-16335", "CVE-2019-16942", "CVE-2019-16943"], "modified": "2019-10-26T17:30:55", "id": "FEDORA:277F560476FA", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/DQPRDZIY5XBP6IGPQ7VJUVJUSO7PAMSH/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-07-28T14:46:51", "description": "The general-purpose data-binding functionality and tree-model for Jackson D ata Processor. It builds on core streaming parser/generator package, and uses Jackson Annotations for configuration. ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2019-10-26T17:30:55", "type": "fedora", "title": "[SECURITY] Fedora 31 Update: jackson-databind-2.10.0-1.fc31", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-14540", "CVE-2019-16335", "CVE-2019-16942", "CVE-2019-16943"], "modified": "2019-10-26T17:30:55", "id": "FEDORA:AE8886060E81", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/A5OXHI43AG2UWCSTYYTASAVK2VIHIJDS/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-07-28T14:46:51", "description": "Core part of Jackson that defines Streaming API as well as basic shared abstractions. ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2019-10-26T17:30:55", "type": "fedora", "title": "[SECURITY] Fedora 31 Update: jackson-core-2.10.0-1.fc31", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-14540", "CVE-2019-16335", "CVE-2019-16942", "CVE-2019-16943"], "modified": "2019-10-26T17:30:55", "id": "FEDORA:929076060E6D", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/Q7CANA7KV53JROZDX5Z5P26UG5VN2K43/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-07-28T14:46:51", "description": "Project for parent pom for all Jackson components. ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2019-10-26T17:30:55", "type": "fedora", "title": "[SECURITY] Fedora 31 Update: jackson-parent-2.10-1.fc31", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-14540", "CVE-2019-16335", "CVE-2019-16942", "CVE-2019-16943"], "modified": "2019-10-26T17:30:55", "id": "FEDORA:C91E46060E8C", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/PE6C23MULONYJO2LUE3KAPVXR7HUU4EH/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-07-28T14:46:51", "description": "Core annotations used for value types, used by Jackson data-binding package. ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2019-10-12T00:29:48", "type": "fedora", "title": "[SECURITY] Fedora 30 Update: jackson-annotations-2.10.0-1.fc30", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-14540", "CVE-2019-16335", "CVE-2019-16942", "CVE-2019-16943"], "modified": "2019-10-12T00:29:48", "id": "FEDORA:4D359608778C", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/6DWXRMZMLNYP6T5RFMNNHUVSQYNFRUTQ/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-07-28T14:46:51", "description": "Core part of Jackson that defines Streaming API as well as basic shared abstractions. ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2019-10-12T00:29:48", "type": "fedora", "title": "[SECURITY] Fedora 30 Update: jackson-core-2.10.0-1.fc30", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-14540", "CVE-2019-16335", "CVE-2019-16942", "CVE-2019-16943"], "modified": "2019-10-12T00:29:48", "id": "FEDORA:BFF95608779F", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/TH5VFUN4P7CCIP7KSEXYA5MUTFCUDUJT/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-07-28T14:46:51", "description": "A \"bill of materials\" POM for Jackson dependencies. ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2019-10-12T00:29:48", "type": "fedora", "title": "[SECURITY] Fedora 30 Update: jackson-bom-2.10.0-1.fc30", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-14540", "CVE-2019-16335", "CVE-2019-16942", "CVE-2019-16943"], "modified": "2019-10-12T00:29:48", "id": "FEDORA:A09EE6087595", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/33HU6Z2AB327DF4Q6SABY7NDN2Z32MS2/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-07-28T14:46:51", "description": "A \"bill of materials\" POM for Jackson dependencies. ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2019-10-26T17:30:55", "type": "fedora", "title": "[SECURITY] Fedora 31 Update: jackson-bom-2.10.0-1.fc31", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-14540", "CVE-2019-16335", "CVE-2019-16942", "CVE-2019-16943"], "modified": "2019-10-26T17:30:55", "id": "FEDORA:772A7605712B", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/LQT5BNRE7LKJICVXCTQLDIGUNWFWNZM6/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-07-28T14:46:51", "description": "The general-purpose data-binding functionality and tree-model for Jackson D ata Processor. It builds on core streaming parser/generator package, and uses Jackson Annotations for configuration. ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2019-10-12T00:29:48", "type": "fedora", "title": "[SECURITY] Fedora 30 Update: jackson-databind-2.10.0-1.fc30", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-12384", "CVE-2019-14540", "CVE-2019-16335", "CVE-2019-16942", "CVE-2019-16943"], "modified": "2019-10-12T00:29:48", "id": "FEDORA:D948D608771F", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/4JYW4U272JPM7AYVNENNTWYYYAAQ4TZO/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-07-28T14:46:51", "description": "The scope of this package is to create a package of Java utility methods for accessing and modifying the properties of arbitrary JavaBeans. No dependencies outside of the JDK are required, so the use of this package is very lightweight. ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "LOW", "baseScore": 7.3, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.4}, "published": "2019-11-13T10:08:09", "type": "fedora", "title": "[SECURITY] Fedora 31 Update: apache-commons-beanutils-1.9.4-1.fc31", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10086"], "modified": "2019-11-13T10:08:09", "id": "FEDORA:F015D61278C8", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/4APPGLBWMFAS4WHNLR4LIJ65DJGPV7TF/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-07-28T14:46:51", "description": "The scope of this package is to create a package of Java utility methods for accessing and modifying the properties of arbitrary JavaBeans. No dependencies outside of the JDK are required, so the use of this package is very lightweight. ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "LOW", "baseScore": 7.3, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.4}, "published": "2019-11-13T09:58:19", "type": "fedora", "title": "[SECURITY] Fedora 30 Update: apache-commons-beanutils-1.9.4-1.fc30", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10086"], "modified": "2019-11-13T09:58:19", "id": "FEDORA:EF5B36120D8F", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/JIUYSL2RSIWZVNSUIXJTIFPIPIF6OAIO/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "openvas": [{"lastseen": "2019-10-15T14:42:12", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2019-10-12T00:00:00", "type": "openvas", "title": "Fedora Update for jackson-bom FEDORA-2019-b171554877", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-16942", "CVE-2019-14540", "CVE-2019-16943", "CVE-2019-16335"], "modified": "2019-10-15T00:00:00", "id": "OPENVAS:1361412562310876908", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310876908", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.876908\");\n script_version(\"2019-10-15T06:42:05+0000\");\n script_cve_id(\"CVE-2019-14540\", \"CVE-2019-16335\", \"CVE-2019-16942\", \"CVE-2019-16943\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2019-10-15 06:42:05 +0000 (Tue, 15 Oct 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-10-12 02:30:50 +0000 (Sat, 12 Oct 2019)\");\n script_name(\"Fedora Update for jackson-bom FEDORA-2019-b171554877\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC30\");\n\n script_xref(name:\"FEDORA\", value:\"2019-b171554877\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/33HU6Z2AB327DF4Q6SABY7NDN2Z32MS2\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'jackson-bom'\n package(s) announced via the FEDORA-2019-b171554877 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"A 'bill of materials' POM for Jackson dependencies.\");\n\n script_tag(name:\"affected\", value:\"'jackson-bom' package(s) on Fedora 30.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"FC30\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"jackson-bom\", rpm:\"jackson-bom~2.10.0~1.fc30\", rls:\"FC30\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-01-29T19:26:00", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2019-10-03T00:00:00", "type": "openvas", "title": "Debian LTS: Security Advisory for jackson-databind (DLA-1943-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-16942", "CVE-2019-14540", "CVE-2019-16943", "CVE-2019-16335"], "modified": "2020-01-29T00:00:00", "id": "OPENVAS:1361412562310891943", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310891943", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.891943\");\n script_version(\"2020-01-29T08:22:52+0000\");\n script_cve_id(\"CVE-2019-14540\", \"CVE-2019-16335\", \"CVE-2019-16942\", \"CVE-2019-16943\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-01-29 08:22:52 +0000 (Wed, 29 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2019-10-03 02:00:14 +0000 (Thu, 03 Oct 2019)\");\n script_name(\"Debian LTS: Security Advisory for jackson-databind (DLA-1943-1)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB8\");\n\n script_xref(name:\"URL\", value:\"https://lists.debian.org/debian-lts-announce/2019/10/msg00001.html\");\n script_xref(name:\"URL\", value:\"https://security-tracker.debian.org/tracker/DLA-1943-1\");\n script_xref(name:\"URL\", value:\"https://bugs.debian.org/940498\");\n script_xref(name:\"URL\", value:\"https://bugs.debian.org/941530\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'jackson-databind'\n package(s) announced via the DLA-1943-1 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"More deserialization flaws were discovered in jackson-databind\nrelating to the classes in com.zaxxer.hikari.HikariConfig,\ncom.zaxxer.hikari.HikariDataSource, commons-dbcp and\ncom.p6spy.engine.spy.P6DataSource, which could allow an\nunauthenticated user to perform remote code execution. The issue was\nresolved by extending the blacklist and blocking more classes from\npolymorphic deserialization.\");\n\n script_tag(name:\"affected\", value:\"'jackson-databind' package(s) on Debian Linux.\");\n\n script_tag(name:\"solution\", value:\"For Debian 8 'Jessie', these problems have been fixed in version\n2.4.2-2+deb8u9.\n\nWe recommend that you upgrade your jackson-databind packages.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif(!isnull(res = isdpkgvuln(pkg:\"libjackson2-databind-java\", ver:\"2.4.2-2+deb8u9\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libjackson2-databind-java-doc\", ver:\"2.4.2-2+deb8u9\", rls:\"DEB8\"))) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}\n\nexit(0);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-01-14T14:48:53", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2020-01-09T00:00:00", "type": "openvas", "title": "Fedora Update for jackson-core FEDORA-2019-cf87377f5f", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-16942", "CVE-2019-14540", "CVE-2019-16943", "CVE-2019-16335"], "modified": "2020-01-13T00:00:00", "id": "OPENVAS:1361412562310877212", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310877212", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.877212\");\n script_version(\"2020-01-13T11:49:13+0000\");\n script_cve_id(\"CVE-2019-14540\", \"CVE-2019-16335\", \"CVE-2019-16942\", \"CVE-2019-16943\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-01-13 11:49:13 +0000 (Mon, 13 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-09 07:32:09 +0000 (Thu, 09 Jan 2020)\");\n script_name(\"Fedora Update for jackson-core FEDORA-2019-cf87377f5f\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC31\");\n\n script_xref(name:\"FEDORA\", value:\"2019-cf87377f5f\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Q7CANA7KV53JROZDX5Z5P26UG5VN2K43\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'jackson-core'\n package(s) announced via the FEDORA-2019-cf87377f5f advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Core part of Jackson that defines Streaming API as well\nas basic shared abstractions.\");\n\n script_tag(name:\"affected\", value:\"'jackson-core' package(s) on Fedora 31.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"FC31\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"jackson-core\", rpm:\"jackson-core~2.10.0~1.fc31\", rls:\"FC31\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-10-15T14:41:17", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2019-10-12T00:00:00", "type": "openvas", "title": "Fedora Update for jackson-annotations FEDORA-2019-b171554877", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-16942", "CVE-2019-14540", "CVE-2019-16943", "CVE-2019-16335"], "modified": "2019-10-15T00:00:00", "id": "OPENVAS:1361412562310876900", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310876900", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.876900\");\n script_version(\"2019-10-15T06:42:05+0000\");\n script_cve_id(\"CVE-2019-14540\", \"CVE-2019-16335\", \"CVE-2019-16942\", \"CVE-2019-16943\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2019-10-15 06:42:05 +0000 (Tue, 15 Oct 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-10-12 02:30:23 +0000 (Sat, 12 Oct 2019)\");\n script_name(\"Fedora Update for jackson-annotations FEDORA-2019-b171554877\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC30\");\n\n script_xref(name:\"FEDORA\", value:\"2019-b171554877\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6DWXRMZMLNYP6T5RFMNNHUVSQYNFRUTQ\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'jackson-annotations'\n package(s) announced via the FEDORA-2019-b171554877 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Core annotations used for value types,\nused by Jackson data-binding package.\");\n\n script_tag(name:\"affected\", value:\"'jackson-annotations' package(s) on Fedora 30.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"FC30\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"jackson-annotations\", rpm:\"jackson-annotations~2.10.0~1.fc30\", rls:\"FC30\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-10-15T14:37:45", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2019-10-12T00:00:00", "type": "openvas", "title": "Fedora Update for jackson-core FEDORA-2019-b171554877", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-16942", "CVE-2019-14540", "CVE-2019-16943", "CVE-2019-16335"], "modified": "2019-10-15T00:00:00", "id": "OPENVAS:1361412562310876901", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310876901", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.876901\");\n script_version(\"2019-10-15T06:42:05+0000\");\n script_cve_id(\"CVE-2019-14540\", \"CVE-2019-16335\", \"CVE-2019-16942\", \"CVE-2019-16943\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2019-10-15 06:42:05 +0000 (Tue, 15 Oct 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-10-12 02:30:27 +0000 (Sat, 12 Oct 2019)\");\n script_name(\"Fedora Update for jackson-core FEDORA-2019-b171554877\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC30\");\n\n script_xref(name:\"FEDORA\", value:\"2019-b171554877\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TH5VFUN4P7CCIP7KSEXYA5MUTFCUDUJT\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'jackson-core'\n package(s) announced via the FEDORA-2019-b171554877 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Core part of Jackson that defines Streaming API as well\nas basic shared abstractions.\");\n\n script_tag(name:\"affected\", value:\"'jackson-core' package(s) on Fedora 30.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"FC30\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"jackson-core\", rpm:\"jackson-core~2.10.0~1.fc30\", rls:\"FC30\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-10-15T14:37:45", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2019-10-12T00:00:00", "type": "openvas", "title": "Fedora Update for jackson-parent FEDORA-2019-b171554877", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-16942", "CVE-2019-14540", "CVE-2019-16943", "CVE-2019-16335"], "modified": "2019-10-15T00:00:00", "id": "OPENVAS:1361412562310876904", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310876904", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.876904\");\n script_version(\"2019-10-15T06:42:05+0000\");\n script_cve_id(\"CVE-2019-14540\", \"CVE-2019-16335\", \"CVE-2019-16942\", \"CVE-2019-16943\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2019-10-15 06:42:05 +0000 (Tue, 15 Oct 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-10-12 02:30:35 +0000 (Sat, 12 Oct 2019)\");\n script_name(\"Fedora Update for jackson-parent FEDORA-2019-b171554877\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC30\");\n\n script_xref(name:\"FEDORA\", value:\"2019-b171554877\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N2KHDT3IPBKLVBRWQXAKXQXCTFG6W4UX\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'jackson-parent'\n package(s) announced via the FEDORA-2019-b171554877 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Project for parent pom for all Jackson components.\");\n\n script_tag(name:\"affected\", value:\"'jackson-parent' package(s) on Fedora 30.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"FC30\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"jackson-parent\", rpm:\"jackson-parent~2.10~1.fc30\", rls:\"FC30\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-01-14T14:48:55", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2020-01-09T00:00:00", "type": "openvas", "title": "Fedora Update for jackson-parent FEDORA-2019-cf87377f5f", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-16942", "CVE-2019-14540", "CVE-2019-16943", "CVE-2019-16335"], "modified": "2020-01-13T00:00:00", "id": "OPENVAS:1361412562310877267", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310877267", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.877267\");\n script_version(\"2020-01-13T11:49:13+0000\");\n script_cve_id(\"CVE-2019-14540\", \"CVE-2019-16335\", \"CVE-2019-16942\", \"CVE-2019-16943\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-01-13 11:49:13 +0000 (Mon, 13 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-09 07:34:49 +0000 (Thu, 09 Jan 2020)\");\n script_name(\"Fedora Update for jackson-parent FEDORA-2019-cf87377f5f\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC31\");\n\n script_xref(name:\"FEDORA\", value:\"2019-cf87377f5f\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PE6C23MULONYJO2LUE3KAPVXR7HUU4EH\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'jackson-parent'\n package(s) announced via the FEDORA-2019-cf87377f5f advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Project for parent pom for all Jackson components.\");\n\n script_tag(name:\"affected\", value:\"'jackson-parent' package(s) on Fedora 31.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"FC31\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"jackson-parent\", rpm:\"jackson-parent~2.10~1.fc31\", rls:\"FC31\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-01-14T14:48:50", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2020-01-09T00:00:00", "type": "openvas", "title": "Fedora Update for jackson-databind FEDORA-2019-cf87377f5f", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-16942", "CVE-2019-14540", "CVE-2019-16943", "CVE-2019-16335"], "modified": "2020-01-13T00:00:00", "id": "OPENVAS:1361412562310877322", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310877322", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.877322\");\n script_version(\"2020-01-13T11:49:13+0000\");\n script_cve_id(\"CVE-2019-14540\", \"CVE-2019-16335\", \"CVE-2019-16942\", \"CVE-2019-16943\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-01-13 11:49:13 +0000 (Mon, 13 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-09 07:38:04 +0000 (Thu, 09 Jan 2020)\");\n script_name(\"Fedora Update for jackson-databind FEDORA-2019-cf87377f5f\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC31\");\n\n script_xref(name:\"FEDORA\", value:\"2019-cf87377f5f\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/A5OXHI43AG2UWCSTYYTASAVK2VIHIJDS\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'jackson-databind'\n package(s) announced via the FEDORA-2019-cf87377f5f advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The general-purpose data-binding functionality and tree-model for Jackson Data\nProcessor. It builds on core streaming parser/generator package, and uses\nJackson Annotations for configuration.\");\n\n script_tag(name:\"affected\", value:\"'jackson-databind' package(s) on Fedora 31.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"FC31\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"jackson-databind\", rpm:\"jackson-databind~2.10.0~1.fc31\", rls:\"FC31\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-01-14T14:48:49", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2020-01-09T00:00:00", "type": "openvas", "title": "Fedora Update for jackson-annotations FEDORA-2019-cf87377f5f", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-16942", "CVE-2019-14540", "CVE-2019-16943", "CVE-2019-16335"], "modified": "2020-01-13T00:00:00", "id": "OPENVAS:1361412562310877291", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310877291", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.877291\");\n script_version(\"2020-01-13T11:49:13+0000\");\n script_cve_id(\"CVE-2019-14540\", \"CVE-2019-16335\", \"CVE-2019-16942\", \"CVE-2019-16943\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-01-13 11:49:13 +0000 (Mon, 13 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-09 07:36:14 +0000 (Thu, 09 Jan 2020)\");\n script_name(\"Fedora Update for jackson-annotations FEDORA-2019-cf87377f5f\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC31\");\n\n script_xref(name:\"FEDORA\", value:\"2019-cf87377f5f\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DQPRDZIY5XBP6IGPQ7VJUVJUSO7PAMSH\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'jackson-annotations'\n package(s) announced via the FEDORA-2019-cf87377f5f advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Core annotations used for value types,\nused by Jackson data-binding package.\");\n\n script_tag(name:\"affected\", value:\"'jackson-annotations' package(s) on Fedora 31.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"FC31\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"jackson-annotations\", rpm:\"jackson-annotations~2.10.0~1.fc31\", rls:\"FC31\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-01-14T14:48:52", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2020-01-09T00:00:00", "type": "openvas", "title": "Fedora Update for jackson-bom FEDORA-2019-cf87377f5f", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-16942", "CVE-2019-14540", "CVE-2019-16943", "CVE-2019-16335"], "modified": "2020-01-13T00:00:00", "id": "OPENVAS:1361412562310877119", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310877119", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.877119\");\n script_version(\"2020-01-13T11:49:13+0000\");\n script_cve_id(\"CVE-2019-14540\", \"CVE-2019-16335\", \"CVE-2019-16942\", \"CVE-2019-16943\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-01-13 11:49:13 +0000 (Mon, 13 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-09 07:26:40 +0000 (Thu, 09 Jan 2020)\");\n script_name(\"Fedora Update for jackson-bom FEDORA-2019-cf87377f5f\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC31\");\n\n script_xref(name:\"FEDORA\", value:\"2019-cf87377f5f\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LQT5BNRE7LKJICVXCTQLDIGUNWFWNZM6\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'jackson-bom'\n package(s) announced via the FEDORA-2019-cf87377f5f advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"A 'bill of materials' POM for Jackson dependencies.\");\n\n script_tag(name:\"affected\", value:\"'jackson-bom' package(s) on Fedora 31.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"FC31\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"jackson-bom\", rpm:\"jackson-bom~2.10.0~1.fc31\", rls:\"FC31\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-10-15T14:40:28", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2019-10-12T00:00:00", "type": "openvas", "title": "Fedora Update for jackson-databind FEDORA-2019-b171554877", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-16942", "CVE-2019-14540", "CVE-2019-16943", "CVE-2019-12384", "CVE-2019-16335"], "modified": "2019-10-15T00:00:00", "id": "OPENVAS:1361412562310876898", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310876898", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.876898\");\n script_version(\"2019-10-15T06:42:05+0000\");\n script_cve_id(\"CVE-2019-14540\", \"CVE-2019-16335\", \"CVE-2019-16942\", \"CVE-2019-16943\", \"CVE-2019-12384\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2019-10-15 06:42:05 +0000 (Tue, 15 Oct 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-10-12 02:30:18 +0000 (Sat, 12 Oct 2019)\");\n script_name(\"Fedora Update for jackson-databind FEDORA-2019-b171554877\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC30\");\n\n script_xref(name:\"FEDORA\", value:\"2019-b171554877\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4JYW4U272JPM7AYVNENNTWYYYAAQ4TZO\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'jackson-databind'\n package(s) announced via the FEDORA-2019-b171554877 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The general-purpose data-binding functionality and tree-model for Jackson Data\nProcessor. It builds on core streaming parser/generator package, and uses\nJackson Annotations for configuration.\");\n\n script_tag(name:\"affected\", value:\"'jackson-databind' package(s) on Fedora 30.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"FC30\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"jackson-databind\", rpm:\"jackson-databind~2.10.0~1.fc30\", rls:\"FC30\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-10-07T14:45:52", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2019-10-07T00:00:00", "type": "openvas", "title": "Debian Security Advisory DSA 4542-1 (jackson-databind - security update)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-16942", "CVE-2019-14540", "CVE-2019-16943", "CVE-2019-12384", "CVE-2019-14439", "CVE-2019-16335"], "modified": "2019-10-07T00:00:00", "id": "OPENVAS:1361412562310704542", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310704542", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.704542\");\n script_version(\"2019-10-07T02:00:11+0000\");\n script_cve_id(\"CVE-2019-12384\", \"CVE-2019-14439\", \"CVE-2019-14540\", \"CVE-2019-16335\", \"CVE-2019-16942\", \"CVE-2019-16943\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2019-10-07 02:00:11 +0000 (Mon, 07 Oct 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-10-07 02:00:11 +0000 (Mon, 07 Oct 2019)\");\n script_name(\"Debian Security Advisory DSA 4542-1 (jackson-databind - security update)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB(10|9)\");\n\n script_xref(name:\"URL\", value:\"https://www.debian.org/security/2019/dsa-4542.html\");\n script_xref(name:\"URL\", value:\"https://security-tracker.debian.org/tracker/DSA-4542-1\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'jackson-databind'\n package(s) announced via the DSA-4542-1 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"It was discovered that jackson-databind, a Java library used to parse\nJSON and other data formats, did not properly validate user input\nbefore attempting deserialization. This allowed an attacker providing\nmaliciously crafted input to perform code execution, or read arbitrary\nfiles on the server.\");\n\n script_tag(name:\"affected\", value:\"'jackson-databind' package(s) on Debian Linux.\");\n\n script_tag(name:\"solution\", value:\"For the oldstable distribution (stretch), these problems have been fixed\nin version 2.8.6-1+deb9u6.\n\nFor the stable distribution (buster), these problems have been fixed in\nversion 2.9.8-3+deb10u1.\n\nWe recommend that you upgrade your jackson-databind packages.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif(!isnull(res = isdpkgvuln(pkg:\"libjackson2-databind-java\", ver:\"2.9.8-3+deb10u1\", rls:\"DEB10\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libjackson2-databind-java-doc\", ver:\"2.9.8-3+deb10u1\", rls:\"DEB10\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libjackson2-databind-java\", ver:\"2.8.6-1+deb9u6\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libjackson2-databind-java-doc\", ver:\"2.8.6-1+deb9u6\", rls:\"DEB9\"))) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}\n\nexit(0);", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-01-29T19:27:28", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2019-12-11T00:00:00", "type": "openvas", "title": "Debian LTS: Security Advisory for jackson-databind (DLA-2030-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-17531", "CVE-2019-17267"], "modified": "2020-01-29T00:00:00", "id": "OPENVAS:1361412562310892030", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310892030", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.892030\");\n script_version(\"2020-01-29T08:22:52+0000\");\n script_cve_id(\"CVE-2019-17267\", \"CVE-2019-17531\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-01-29 08:22:52 +0000 (Wed, 29 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2019-12-11 03:00:47 +0000 (Wed, 11 Dec 2019)\");\n script_name(\"Debian LTS: Security Advisory for jackson-databind (DLA-2030-1)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB8\");\n\n script_xref(name:\"URL\", value:\"https://lists.debian.org/debian-lts-announce/2019/12/msg00013.html\");\n script_xref(name:\"URL\", value:\"https://security-tracker.debian.org/tracker/DLA-2030-1\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'jackson-databind'\n package(s) announced via the DLA-2030-1 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"More deserialization flaws were discovered in jackson-databind which\ncould allow an unauthenticated user to perform remote code execution.\nThe issue was resolved by extending the blacklist and blocking more\nclasses from polymorphic deserialization.\");\n\n script_tag(name:\"affected\", value:\"'jackson-databind' package(s) on Debian Linux.\");\n\n script_tag(name:\"solution\", value:\"For Debian 8 'Jessie', these problems have been fixed in version\n2.4.2-2+deb8u10.\n\nWe recommend that you upgrade your jackson-databind packages.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif(!isnull(res = isdpkgvuln(pkg:\"libjackson2-databind-java\", ver:\"2.4.2-2+deb8u10\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libjackson2-databind-java-doc\", ver:\"2.4.2-2+deb8u10\", rls:\"DEB8\"))) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}\n\nexit(0);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-01-14T14:49:22", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2020-01-09T00:00:00", "type": "openvas", "title": "Fedora Update for apache-commons-beanutils FEDORA-2019-bcad44b5d6", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-10086"], "modified": "2020-01-13T00:00:00", "id": "OPENVAS:1361412562310877152", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310877152", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.877152\");\n script_version(\"2020-01-13T11:49:13+0000\");\n script_cve_id(\"CVE-2019-10086\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-01-13 11:49:13 +0000 (Mon, 13 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-09 07:28:54 +0000 (Thu, 09 Jan 2020)\");\n script_name(\"Fedora Update for apache-commons-beanutils FEDORA-2019-bcad44b5d6\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC31\");\n\n script_xref(name:\"FEDORA\", value:\"2019-bcad44b5d6\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4APPGLBWMFAS4WHNLR4LIJ65DJGPV7TF\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'apache-commons-beanutils'\n package(s) announced via the FEDORA-2019-bcad44b5d6 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The scope of this package is to create a package of Java utility methods\nfor accessing and modifying the properties of arbitrary JavaBeans. No\ndependencies outside of the JDK are required, so the use of this package\nis very lightweight.\");\n\n script_tag(name:\"affected\", value:\"'apache-commons-beanutils' package(s) on Fedora 31.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"FC31\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"apache-commons-beanutils\", rpm:\"apache-commons-beanutils~1.9.4~1.fc31\", rls:\"FC31\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-01-30T16:44:09", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2020-01-29T00:00:00", "type": "openvas", "title": "CentOS: Security Advisory for apache-commons-beanutils (CESA-2020:0194)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-10086"], "modified": "2020-01-30T00:00:00", "id": "OPENVAS:1361412562310883171", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310883171", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.883171\");\n script_version(\"2020-01-30T08:15:08+0000\");\n script_cve_id(\"CVE-2019-10086\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-01-30 08:15:08 +0000 (Thu, 30 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-29 04:01:10 +0000 (Wed, 29 Jan 2020)\");\n script_name(\"CentOS: Security Advisory for apache-commons-beanutils (CESA-2020:0194)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\", re:\"ssh/login/release=CentOS7\");\n\n script_xref(name:\"CESA\", value:\"2020:0194\");\n script_xref(name:\"URL\", value:\"https://lists.centos.org/pipermail/centos-announce/2020-January/035618.html\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'apache-commons-beanutils'\n package(s) announced via the CESA-2020:0194 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The Apache Commons BeanUtils library provides utility methods for accessing\nand modifying properties of arbitrary JavaBeans.\n\nSecurity Fix(es):\n\n * apache-commons-beanutils: does not suppresses the class property in\nPropertyUtilsBean by default (CVE-2019-10086)\n\nFor more details about the security issue(s), including the impact, a CVSS\nscore, acknowledgments, and other related information, refer to the CVE\npage(s) listed in the References section.\");\n\n script_tag(name:\"affected\", value:\"'apache-commons-beanutils' package(s) on CentOS 7.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"CentOS7\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"apache-commons-beanutils\", rpm:\"apache-commons-beanutils~1.8.3~15.el7_7\", rls:\"CentOS7\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"apache-commons-beanutils-javadoc\", rpm:\"apache-commons-beanutils-javadoc~1.8.3~15.el7_7\", rls:\"CentOS7\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-01-29T19:29:15", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2019-08-26T00:00:00", "type": "openvas", "title": "Debian LTS: Security Advisory for commons-beanutils (DLA-1896-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-10086"], "modified": "2020-01-29T00:00:00", "id": "OPENVAS:1361412562310891896", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310891896", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.891896\");\n script_version(\"2020-01-29T08:22:52+0000\");\n script_cve_id(\"CVE-2019-10086\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-01-29 08:22:52 +0000 (Wed, 29 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2019-08-26 02:00:07 +0000 (Mon, 26 Aug 2019)\");\n script_name(\"Debian LTS: Security Advisory for commons-beanutils (DLA-1896-1)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB8\");\n\n script_xref(name:\"URL\", value:\"https://lists.debian.org/debian-lts-announce/2019/08/msg00030.html\");\n script_xref(name:\"URL\", value:\"https://security-tracker.debian.org/tracker/DLA-1896-1\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'commons-beanutils'\n package(s) announced via the DLA-1896-1 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"It was discovered that there was a remote arbitrary code\nvulnerability in commons-beanutils, a set of utilities for\nmanipulating JavaBeans code.\");\n\n script_tag(name:\"affected\", value:\"'commons-beanutils' package(s) on Debian Linux.\");\n\n script_tag(name:\"solution\", value:\"For Debian 8 'Jessie', this issue has been fixed in commons-beanutils\nversion 1.9.2-1+deb8u1.\n\nWe recommend that you upgrade your commons-beanutils packages.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif(!isnull(res = isdpkgvuln(pkg:\"libcommons-beanutils-java\", ver:\"1.9.2-1+deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libcommons-beanutils-java-doc\", ver:\"1.9.2-1+deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}\n\nexit(0);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "osv": [{"lastseen": "2022-07-21T08:18:07", "description": "\nMore deserialization flaws were discovered in jackson-databind\nrelating to the classes in com.zaxxer.hikari.HikariConfig,\ncom.zaxxer.hikari.HikariDataSource, commons-dbcp and\ncom.p6spy.engine.spy.P6DataSource, which could allow an\nunauthenticated user to perform remote code execution. The issue was\nresolved by extending the blacklist and blocking more classes from\npolymorphic deserialization.\n\n\nFor Debian 8 Jessie, these problems have been fixed in version\n2.4.2-2+deb8u9.\n\n\nWe recommend that you upgrade your jackson-databind packages.\n\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: <https://wiki.debian.org/LTS>\n\n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2019-10-03T00:00:00", "type": "osv", "title": "jackson-databind - security update", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-16942", "CVE-2019-14540", "CVE-2019-16943", "CVE-2019-16335"], "modified": "2022-07-21T05:52:50", "id": "OSV:DLA-1943-1", "href": "https://osv.dev/vulnerability/DLA-1943-1", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-08-10T07:15:06", "description": "\nIt was discovered that jackson-databind, a Java library used to parse\nJSON and other data formats, did not properly validate user input\nbefore attempting deserialization. This allowed an attacker providing\nmaliciously crafted input to perform code execution, or read arbitrary\nfiles on the server.\n\n\nFor the oldstable distribution (stretch), these problems have been fixed\nin version 2.8.6-1+deb9u6.\n\n\nFor the stable distribution (buster), these problems have been fixed in\nversion 2.9.8-3+deb10u1.\n\n\nWe recommend that you upgrade your jackson-databind packages.\n\n\nFor the detailed security status of jackson-databind please refer to\nits security tracker page at:\n[\\\nhttps://security-tracker.debian.org/tracker/jackson-databind](https://security-tracker.debian.org/tracker/jackson-databind)\n\n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2019-10-06T00:00:00", "type": "osv", "title": "jackson-databind - security update", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-16942", "CVE-2019-14540", "CVE-2019-16943", "CVE-2019-14439", "CVE-2019-16335", "CVE-2019-14379"], "modified": "2022-08-10T07:15:00", "id": "OSV:DSA-4542-1", "href": "https://osv.dev/vulnerability/DSA-4542-1", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-08-05T05:18:42", "description": "\nMore deserialization flaws were discovered in jackson-databind which\ncould allow an unauthenticated user to perform remote code execution.\nThe issue was resolved by extending the blacklist and blocking more\nclasses from polymorphic deserialization.\n\n\nFor Debian 8 Jessie, these problems have been fixed in version\n2.4.2-2+deb8u10.\n\n\nWe recommend that you upgrade your jackson-databind packages.\n\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: <https://wiki.debian.org/LTS>\n\n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2019-12-10T00:00:00", "type": "osv", "title": "jackson-databind - security update", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-17531", "CVE-2019-17267"], "modified": "2022-08-05T05:18:38", "id": "OSV:DLA-2030-1", "href": "https://osv.dev/vulnerability/DLA-2030-1", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-04-11T01:49:47", "description": "A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariDataSource. This is a different vulnerability than CVE-2019-14540.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-09-23T18:33:45", "type": "osv", "title": "Polymorphic Typing issue in FasterXML jackson-databind", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-14540", "CVE-2019-16335"], "modified": "2023-04-11T01:49:42", "id": "OSV:GHSA-85CW-HJ65-QQV9", "href": "https://osv.dev/vulnerability/GHSA-85cw-hj65-qqv9", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-04-11T01:33:15", "description": "A flaw was discovered in jackson-databind in versions before 2.9.10, 2.8.11.5 and 2.6.7.3, where it would permit polymorphic deserialization of a malicious object using commons-configuration 1 and 2 JNDI classes. An attacker could use this flaw to execute arbitrary code.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-05-15T18:58:58", "type": "osv", "title": "Polymorphic deserialization of malicious object in jackson-databind", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-14892"], "modified": "2023-04-11T01:32:40", "id": "OSV:GHSA-CF6R-3WGC-H863", "href": "https://osv.dev/vulnerability/GHSA-cf6r-3wgc-h863", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-04-11T01:38:35", "description": "A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-06-15T18:44:48", "type": "osv", "title": "Improper Input Validation in jackson-databind", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-17267"], "modified": "2023-04-11T01:38:32", "id": "OSV:GHSA-F3J5-RMMP-3FC5", "href": "https://osv.dev/vulnerability/GHSA-f3j5-rmmp-3fc5", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-04-11T01:42:20", "description": "A permission issue was found in Elasticsearch versions before 5.6.15 and 6.6.1 when Field Level Security and Document Level Security are disabled and the _aliases, _shrink, or _split endpoints are used . If the elasticsearch.yml file has xpack.security.dls_fls.enabled set to false, certain permission checks are skipped when users perform one of the actions mentioned above, to make existing data available under a new index/alias name. This could result in an attacker gaining additional permissions against a restricted index.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-13T01:14:26", "type": "osv", "title": "Improper Access Control in Elasticsearch", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-7611"], "modified": "2023-04-11T01:42:17", "id": "OSV:GHSA-FJ32-6V7M-57PG", "href": "https://osv.dev/vulnerability/GHSA-fj32-6v7m-57pg", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-04-11T01:34:54", "description": "A flaw was discovered in FasterXML jackson-databind in all versions before 2.9.10 and 2.10.0, where it would permit polymorphic deserialization of malicious objects using the xalan JNDI gadget when used in conjunction with polymorphic type handling methods such as `enableDefaultTyping()` or when @JsonTypeInfo is using `Id.CLASS` or `Id.MINIMAL_CLASS` or in any other way which ObjectMapper.readValue might instantiate objects from unsafe sources. An attacker could use this flaw to execute arbitrary code.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-05-15T18:59:07", "type": "osv", "title": "Polymorphic deserialization of malicious object in jackson-databind", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-14893"], "modified": "2023-04-11T01:34:51", "id": "OSV:GHSA-QMQC-X3R4-6V39", "href": "https://osv.dev/vulnerability/GHSA-qmqc-x3r4-6v39", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-04-11T01:49:12", "description": "A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the apache-log4j-extra (version 1.2.x) jar in the classpath, and an attacker can provide a JNDI service to access, it is possible to make the service execute a malicious payload. ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-11-13T00:32:38", "type": "osv", "title": "Polymorphic typing issue", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-17531"], "modified": "2023-04-11T01:49:10", "id": "OSV:GHSA-GJMW-VF9H-G25V", "href": "https://osv.dev/vulnerability/GHSA-gjmw-vf9h-g25v", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-04-11T01:31:39", "description": "A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the commons-dbcp (1.4) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of org.apache.commons.dbcp.datasources.SharedPoolDataSource and org.apache.commons.dbcp.datasources.PerUserPoolDataSource mishandling.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-10-28T20:51:15", "type": "osv", "title": "Polymorphic Typing in FasterXML jackson-databind", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-16942"], "modified": "2023-04-11T01:31:16", "id": "OSV:GHSA-MX7P-6679-8G3Q", "href": "https://osv.dev/vulnerability/GHSA-mx7p-6679-8g3q", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-03-28T05:42:54", "description": "A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the p6spy (3.8.6) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of com.p6spy.engine.spy.P6DataSource mishandling.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-11-13T00:32:27", "type": "osv", "title": "Polymorphic typing issue", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-16943"], "modified": "2023-03-28T05:42:48", "id": "OSV:GHSA-FMMC-742Q-JG75", "href": "https://osv.dev/vulnerability/GHSA-fmmc-742q-jg75", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-04-11T01:46:12", "description": "A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariConfig.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-09-23T18:33:25", "type": "osv", "title": "Polymorphic Typing issue in FasterXML jackson-databind", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-14540"], "modified": "2023-04-11T01:46:10", "id": "OSV:GHSA-H822-R4R5-V8JG", "href": "https://osv.dev/vulnerability/GHSA-h822-r4r5-v8jg", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-08-05T05:18:35", "description": "\nIt was discovered that there was a remote arbitrary code\nvulnerability in commons-beanutils, a set of utilities for\nmanipulating JavaBeans code.\n\n\n* [CVE-2019-10086](https://security-tracker.debian.org/tracker/CVE-2019-10086)\nIn Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for an attacker to access the classloader via the class property available on all Java objects. We, however were not using this by default characteristic of the PropertyUtilsBean.\n\n\nFor Debian 8 Jessie, these problems have been fixed in version\n1.9.2-1+deb8u1.\n\n\nWe recommend that you upgrade your commons-beanutils packages.\n\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: <https://wiki.debian.org/LTS>\n\n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "LOW", "baseScore": 7.3, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.4}, "published": "2019-08-24T00:00:00", "type": "osv", "title": "commons-beanutils - security update", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10086"], "modified": "2022-08-05T05:18:33", "id": "OSV:DLA-1896-1", "href": "https://osv.dev/vulnerability/DLA-1896-1", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "debian": [{"lastseen": "2021-12-10T15:15:32", "description": "Package : jackson-databind\nVersion : 2.4.2-2+deb8u9\nCVE ID : CVE-2019-14540 CVE-2019-16335 CVE-2019-16942\n CVE-2019-16943\nDebian Bug : 940498 941530\n\nMore deserialization flaws were discovered in jackson-databind\nrelating to the classes in com.zaxxer.hikari.HikariConfig,\ncom.zaxxer.hikari.HikariDataSource, commons-dbcp and\ncom.p6spy.engine.spy.P6DataSource, which could allow an\nunauthenticated user to perform remote code execution. The issue was\nresolved by extending the blacklist and blocking more classes from\npolymorphic deserialization.\n\nFor Debian 8 "Jessie", these problems have been fixed in version\n2.4.2-2+deb8u9.\n\nWe recommend that you upgrade your jackson-databind packages.\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2019-10-02T22:48:42", "type": "debian", "title": "[SECURITY] [DLA 1943-1] jackson-databind security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-14540", "CVE-2019-16335", "CVE-2019-16942", "CVE-2019-16943"], "modified": "2019-10-02T22:48:42", "id": "DEBIAN:DLA-1943-1:5F5AB", "href": "https://lists.debian.org/debian-lts-announce/2019/10/msg00001.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-10-22T12:10:45", "description": "Package : jackson-databind\nVersion : 2.4.2-2+deb8u9\nCVE ID : CVE-2019-14540 CVE-2019-16335 CVE-2019-16942\n CVE-2019-16943\nDebian Bug : 940498 941530\n\nMore deserialization flaws were discovered in jackson-databind\nrelating to the classes in com.zaxxer.hikari.HikariConfig,\ncom.zaxxer.hikari.HikariDataSource, commons-dbcp and\ncom.p6spy.engine.spy.P6DataSource, which could allow an\nunauthenticated user to perform remote code execution. The issue was\nresolved by extending the blacklist and blocking more classes from\npolymorphic deserialization.\n\nFor Debian 8 "Jessie", these problems have been fixed in version\n2.4.2-2+deb8u9.\n\nWe recommend that you upgrade your jackson-databind packages.\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2019-10-02T22:48:42", "type": "debian", "title": "[SECURITY] [DLA 1943-1] jackson-databind security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-14540", "CVE-2019-16335", "CVE-2019-16942", "CVE-2019-16943"], "modified": "2019-10-02T22:48:42", "id": "DEBIAN:DLA-1943-1:9AD98", "href": "https://lists.debian.org/debian-lts-announce/2019/10/msg00001.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-10-23T08:52:39", "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-4542-1 security@debian.org\nhttps://www.debian.org/security/ Sebastien Delafond\nOctober 06, 2019 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : jackson-databind\nCVE ID : CVE-2019-12384 CVE-2019-14439 CVE-2019-14540 CVE-2019-16335 \n CVE-2019-16942 CVE-2019-16943\nDebian Bug : 941530 940498 933393 930750\n\nIt was discovered that jackson-databind, a Java library used to parse\nJSON and other data formats, did not properly validate user input\nbefore attempting deserialization. This allowed an attacker providing\nmaliciously crafted input to perform code execution, or read arbitrary\nfiles on the server.\n\nFor the oldstable distribution (stretch), these problems have been fixed\nin version 2.8.6-1+deb9u6.\n\nFor the stable distribution (buster), these problems have been fixed in\nversion 2.9.8-3+deb10u1.\n\nWe recommend that you upgrade your jackson-databind packages.\n\nFor the detailed security status of jackson-databind please refer to\nits security tracker page at:\nhttps://security-tracker.debian.org/tracker/jackson-databind\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2019-10-06T08:28:37", "type": "debian", "title": "[SECURITY] [DSA 4542-1] jackson-databind security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-12384", "CVE-2019-14439", "CVE-2019-14540", "CVE-2019-16335", "CVE-2019-16942", "CVE-2019-16943"], "modified": "2019-10-06T08:28:37", "id": "DEBIAN:DSA-4542-1:432E5", "href": "https://lists.debian.org/debian-security-announce/2019/msg00191.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-26T15:18:20", "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-4542-1 security@debian.org\nhttps://www.debian.org/security/ Sebastien Delafond\nOctober 06, 2019 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : jackson-databind\nCVE ID : CVE-2019-12384 CVE-2019-14439 CVE-2019-14540 CVE-2019-16335 \n CVE-2019-16942 CVE-2019-16943\nDebian Bug : 941530 940498 933393 930750\n\nIt was discovered that jackson-databind, a Java library used to parse\nJSON and other data formats, did not properly validate user input\nbefore attempting deserialization. This allowed an attacker providing\nmaliciously crafted input to perform code execution, or read arbitrary\nfiles on the server.\n\nFor the oldstable distribution (stretch), these problems have been fixed\nin version 2.8.6-1+deb9u6.\n\nFor the stable distribution (buster), these problems have been fixed in\nversion 2.9.8-3+deb10u1.\n\nWe recommend that you upgrade your jackson-databind packages.\n\nFor the detailed security status of jackson-databind please refer to\nits security tracker page at:\nhttps://security-tracker.debian.org/tracker/jackson-databind\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-10-06T08:28:37", "type": "debian", "title": "[SECURITY] [DSA 4542-1] jackson-databind security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-12384", "CVE-2019-14439", "CVE-2019-14540", "CVE-2019-16335", "CVE-2019-16942", "CVE-2019-16943"], "modified": "2019-10-06T08:28:37", "id": "DEBIAN:DSA-4542-1:03F2D", "href": "https://lists.debian.org/debian-security-announce/2019/msg00191.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-10-22T11:48:24", "description": "Package : jackson-databind\nVersion : 2.4.2-2+deb8u10\nCVE ID : CVE-2019-17267 CVE-2019-17531\n\nMore deserialization flaws were discovered in jackson-databind which\ncould allow an unauthenticated user to perform remote code execution.\nThe issue was resolved by extending the blacklist and blocking more\nclasses from polymorphic deserialization.\n\nFor Debian 8 "Jessie", these problems have been fixed in version\n2.4.2-2+deb8u10.\n\nWe recommend that you upgrade your jackson-databind packages.\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2019-12-10T18:54:11", "type": "debian", "title": "[SECURITY] [DLA 2030-1] jackson-databind security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-17267", "CVE-2019-17531"], "modified": "2019-12-10T18:54:11", "id": "DEBIAN:DLA-2030-1:DE561", "href": "https://lists.debian.org/debian-lts-announce/2019/12/msg00013.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-01-24T16:21:24", "description": "Package : jackson-databind\nVersion : 2.4.2-2+deb8u10\nCVE ID : CVE-2019-17267 CVE-2019-17531\n\nMore deserialization flaws were discovered in jackson-databind which\ncould allow an unauthenticated user to perform remote code execution.\nThe issue was resolved by extending the blacklist and blocking more\nclasses from polymorphic deserialization.\n\nFor Debian 8 "Jessie", these problems have been fixed in version\n2.4.2-2+deb8u10.\n\nWe recommend that you upgrade your jackson-databind packages.\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2019-12-10T18:54:11", "type": "debian", "title": "[SECURITY] [DLA 2030-1] jackson-databind security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-17267", "CVE-2019-17531"], "modified": "2019-12-10T18:54:11", "id": "DEBIAN:DLA-2030-1:F7B6F", "href": "https://lists.debian.org/debian-lts-announce/2019/12/msg00013.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-12-01T15:15:59", "description": "Package : commons-beanutils\nVersion : 1.9.2-1+deb8u1\nCVE ID : CVE-2019-10086\n\nIt was discovered that there was a remote arbitrary code\nvulnerability in commons-beanutils, a set of utilities for\nmanipulating JavaBeans code.\n\nFor Debian 8 "Jessie", this issue has been fixed in commons-beanutils\nversion 1.9.2-1+deb8u1.\n\nWe recommend that you upgrade your commons-beanutils packages.\n\n\nRegards,\n\n- -- \n ,''`.\n : :' : Chris Lamb\n `. `'` lamby@debian.org / chris-lamb.co.uk\n `-", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "LOW", "baseScore": 7.3, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.4}, "published": "2019-08-24T14:49:34", "type": "debian", "title": "[SECURITY] [DLA 1896-1] commons-beanutils security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10086"], "modified": "2019-08-24T14:49:34", "id": "DEBIAN:DLA-1896-1:572E2", "href": "https://lists.debian.org/debian-lts-announce/2019/08/msg00030.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-10-22T12:45:58", "description": "Package : commons-beanutils\nVersion : 1.9.2-1+deb8u1\nCVE ID : CVE-2019-10086\n\nIt was discovered that there was a remote arbitrary code\nvulnerability in commons-beanutils, a set of utilities for\nmanipulating JavaBeans code.\n\nFor Debian 8 "Jessie", this issue has been fixed in commons-beanutils\nversion 1.9.2-1+deb8u1.\n\nWe recommend that you upgrade your commons-beanutils packages.\n\n\nRegards,\n\n- -- \n ,''`.\n : :' : Chris Lamb\n `. `'` lamby@debian.org / chris-lamb.co.uk\n `-", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "LOW", "baseScore": 7.3, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.4}, "published": "2019-08-24T14:49:34", "type": "debian", "title": "[SECURITY] [DLA 1896-1] commons-beanutils security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10086"], "modified": "2019-08-24T14:49:34", "id": "DEBIAN:DLA-1896-1:853E6", "href": "https://lists.debian.org/debian-lts-announce/2019/08/msg00030.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2023-05-24T14:30:59", "description": "- Update jackson-parent to version 2.10.\n\n - Update jackson-bom to version 2.10.0.\n\n - Update jackson-annotations to version 2.10.0.\n\n - Update jackson-core to version 2.10.0.\n\n - Update jackson-databind to version 2.10.0.\n\nResolves CVE-2019-14540, CVE-2019-16335, CVE-2019-16942, CVE-2019-16943.\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2019-10-14T00:00:00", "type": "nessus", "title": "Fedora 30 : jackson-annotations / jackson-bom / jackson-core / jackson-databind / etc (2019-b171554877)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-14540", "CVE-2019-16335", "CVE-2019-16942", "CVE-2019-16943"], "modified": "2019-12-19T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:jackson-annotations", "p-cpe:/a:fedoraproject:fedora:jackson-bom", "p-cpe:/a:fedoraproject:fedora:jackson-core", "p-cpe:/a:fedoraproject:fedora:jackson-databind", "p-cpe:/a:fedoraproject:fedora:jackson-parent", "cpe:/o:fedoraproject:fedora:30"], "id": "FEDORA_2019-B171554877.NASL", "href": "https://www.tenable.com/plugins/nessus/129833", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2019-b171554877.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(129833);\n script_version(\"1.3\");\n script_cvs_date(\"Date: 2019/12/19\");\n\n script_cve_id(\"CVE-2019-14540\", \"CVE-2019-16335\", \"CVE-2019-16942\", \"CVE-2019-16943\");\n script_xref(name:\"FEDORA\", value:\"2019-b171554877\");\n\n script_name(english:\"Fedora 30 : jackson-annotations / jackson-bom / jackson-core / jackson-databind / etc (2019-b171554877)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\" - Update jackson-parent to version 2.10.\n\n - Update jackson-bom to version 2.10.0.\n\n - Update jackson-annotations to version 2.10.0.\n\n - Update jackson-core to version 2.10.0.\n\n - Update jackson-databind to version 2.10.0.\n\nResolves CVE-2019-14540, CVE-2019-16335, CVE-2019-16942,\nCVE-2019-16943.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2019-b171554877\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:jackson-annotations\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:jackson-bom\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:jackson-core\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:jackson-databind\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:jackson-parent\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:30\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/09/15\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/10/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/10/14\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^30([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 30\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC30\", reference:\"jackson-annotations-2.10.0-1.fc30\")) flag++;\nif (rpm_check(release:\"FC30\", reference:\"jackson-bom-2.10.0-1.fc30\")) flag++;\nif (rpm_check(release:\"FC30\", reference:\"jackson-core-2.10.0-1.fc30\")) flag++;\nif (rpm_check(release:\"FC30\", reference:\"jackson-databind-2.10.0-1.fc30\")) flag++;\nif (rpm_check(release:\"FC30\", reference:\"jackson-parent-2.10-1.fc30\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"jackson-annotations / jackson-bom / jackson-core / jackson-databind / etc\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-25T14:29:45", "description": "More deserialization flaws were discovered in jackson-databind relating to the classes in com.zaxxer.hikari.HikariConfig, com.zaxxer.hikari.HikariDataSource, commons-dbcp and com.p6spy.engine.spy.P6DataSource, which could allow an unauthenticated user to perform remote code execution. The issue was resolved by extending the blacklist and blocking more classes from polymorphic deserialization.\n\nFor Debian 8 'Jessie', these problems have been fixed in version 2.4.2-2+deb8u9.\n\nWe recommend that you upgrade your jackson-databind packages.\n\nNOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2019-10-03T00:00:00", "type": "nessus", "title": "Debian DLA-1943-1 : jackson-databind security update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-14540", "CVE-2019-16335", "CVE-2019-16942", "CVE-2019-16943"], "modified": "2021-01-11T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:libjackson2-databind-java", "p-cpe:/a:debian:debian_linux:libjackson2-databind-java-doc", "cpe:/o:debian:debian_linux:8.0"], "id": "DEBIAN_DLA-1943.NASL", "href": "https://www.tenable.com/plugins/nessus/129539", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory DLA-1943-1. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(129539);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2019-14540\", \"CVE-2019-16335\", \"CVE-2019-16942\", \"CVE-2019-16943\");\n\n script_name(english:\"Debian DLA-1943-1 : jackson-databind security update\");\n script_summary(english:\"Checks dpkg output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"More deserialization flaws were discovered in jackson-databind\nrelating to the classes in com.zaxxer.hikari.HikariConfig,\ncom.zaxxer.hikari.HikariDataSource, commons-dbcp and\ncom.p6spy.engine.spy.P6DataSource, which could allow an\nunauthenticated user to perform remote code execution. The issue was\nresolved by extending the blacklist and blocking more classes from\npolymorphic deserialization.\n\nFor Debian 8 'Jessie', these problems have been fixed in version\n2.4.2-2+deb8u9.\n\nWe recommend that you upgrade your jackson-databind packages.\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.debian.org/debian-lts-announce/2019/10/msg00001.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/jessie/jackson-databind\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Upgrade the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libjackson2-databind-java\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libjackson2-databind-java-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:8.0\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/09/15\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/10/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/10/03\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"8.0\", prefix:\"libjackson2-databind-java\", reference:\"2.4.2-2+deb8u9\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libjackson2-databind-java-doc\", reference:\"2.4.2-2+deb8u9\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:55:31", "description": "The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:0161 advisory.\n\n - hibernate-validator: safeHTML validator allows XSS (CVE-2019-10219)\n\n - jackson-databind: Serialization gadgets in com.zaxxer.hikari.HikariConfig (CVE-2019-14540)\n\n - JBoss EAP: Vault system property security attribute value is revealed on CLI 'reload' command (CVE-2019-14885)\n\n - undertow: possible Denial Of Service (DOS) in Undertow HTTP server listening on HTTPS (CVE-2019-14888)\n\n - jackson-databind: Serialization gadgets in classes of the commons-configuration package (CVE-2019-14892)\n\n - jackson-databind: Serialization gadgets in classes of the xalan package (CVE-2019-14893)\n\n - jackson-databind: Serialization gadgets in com.zaxxer.hikari.HikariDataSource (CVE-2019-16335)\n\n - netty: HTTP request smuggling by mishandled whitespace before the colon in HTTP headers (CVE-2019-16869)\n\n - jackson-databind: Serialization gadgets in org.apache.commons.dbcp.datasources.* (CVE-2019-16942)\n\n - jackson-databind: Serialization gadgets in com.p6spy.engine.spy.P6DataSource (CVE-2019-16943)\n\n - jackson-databind: Serialization gadgets in classes of the ehcache package (CVE-2019-17267)\n\n - jackson-databind: Serialization gadgets in org.apache.log4j.receivers.db.* (CVE-2019-17531)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2020-01-22T00:00:00", "type": "nessus", "title": "RHEL 8 : Red Hat JBoss Enterprise Application Platform 7.2.6 on RHEL 8 (RHSA-2020:0161)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-10219", "CVE-2019-14540", "CVE-2019-14885", "CVE-2019-14888", "CVE-2019-14892", "CVE-2019-14893", "CVE-2019-16335", "CVE-2019-16869", "CVE-2019-16942", "CVE-2019-16943", "CVE-2019-17267", "CVE-2019-17531"], "modified": "2023-01-23T00:00:00", "cpe": ["cpe:/o:redhat:enterprise_linux:8", "p-cpe:/a:redhat:enterprise_linux:eap7-apache-cxf", "p-cpe:/a:redhat:enterprise_linux:eap7-apache-cxf-rt", "p-cpe:/a:redhat:enterprise_linux:eap7-apache-cxf-services", "p-cpe:/a:redhat:enterprise_linux:eap7-apache-cxf-tools", "p-cpe:/a:redhat:enterprise_linux:eap7-glassfish-jsf", "p-cpe:/a:redhat:enterprise_linux:eap7-hal-console", "p-cpe:/a:redhat:enterprise_linux:eap7-hibernate", "p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-core", "p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-entitymanager", "p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-envers", "p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-java8", "p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-validator", "p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-validator-cdi", "p-cpe:/a:redhat:enterprise_linux:eap7-jackson-annotations", "p-cpe:/a:redhat:enterprise_linux:eap7-jackson-core", "p-cpe:/a:redhat:enterprise_linux:eap7-jackson-databind", "p-cpe:/a:redhat:enterprise_linux:eap7-jackson-dataformats-binary", "p-cpe:/a:redhat:enterprise_linux:eap7-jackson-dataformats-text", "p-cpe:/a:redhat:enterprise_linux:eap7-jackson-datatype-jdk8", "p-cpe:/a:redhat:enterprise_linux:eap7-jackson-datatype-jsr310", "p-cpe:/a:redhat:enterprise_linux:eap7-jackson-jaxrs-base", "p-cpe:/a:redhat:enterprise_linux:eap7-jackson-jaxrs-json-provider", "p-cpe:/a:redhat:enterprise_linux:eap7-jackson-module-jaxb-annotations", "p-cpe:/a:redhat:enterprise_linux:eap7-jackson-modules-base", "p-cpe:/a:redhat:enterprise_linux:eap7-jackson-modules-java8", "p-cpe:/a:redhat:enterprise_linux:eap7-jberet", "p-cpe:/a:redhat:enterprise_linux:eap7-jberet-core", "p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap6.4-to-eap7.2", "p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap7.0-to-eap7.2", "p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap7.1-to-eap7.2", "p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap7.2", "p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly10.0-to-eap7.2", "p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly10.1-to-eap7.2", "p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly11.0-to-eap7.2", "p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly12.0-to-eap7.2", "p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly8.2-to-eap7.2", "p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly9.0-to-eap7.2", "p-cpe:/a:redhat:enterprise_linux:eap7-netty", "p-cpe:/a:redhat:enterprise_linux:eap7-netty-all", "p-cpe:/a:redhat:enterprise_linux:eap7-picketlink-bindings", "p-cpe:/a:redhat:enterprise_linux:eap7-picketlink-wildfly8", "p-cpe:/a:redhat:enterprise_linux:eap7-undertow", "p-cpe:/a:redhat:enterprise_linux:eap7-undertow-jastow", "p-cpe:/a:redhat:enterprise_linux:eap7-weld-core", "p-cpe:/a:redhat:enterprise_linux:eap7-weld-core-impl", "p-cpe:/a:redhat:enterprise_linux:eap7-weld-core-jsf", "p-cpe:/a:redhat:enterprise_linux:eap7-weld-ejb", "p-cpe:/a:redhat:enterprise_linux:eap7-weld-jta", "p-cpe:/a:redhat:enterprise_linux:eap7-weld-probe-core", "p-cpe:/a:redhat:enterprise_linux:eap7-weld-web", "p-cpe:/a:redhat:enterprise_linux:eap7-wildfly", "p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-http-client-common", "p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-http-ejb-client", "p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-http-naming-client", "p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-http-transaction-client", "p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-javadocs", "p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-modules", "p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-transaction-client"], "id": "REDHAT-RHSA-2020-0161.NASL", "href": "https://www.tenable.com/plugins/nessus/133158", "sourceData": "##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2020:0161. The text\n# itself is copyright (C) Red Hat, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(133158);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/01/23\");\n\n script_cve_id(\n \"CVE-2019-10219\",\n \"CVE-2019-14540\",\n \"CVE-2019-14885\",\n \"CVE-2019-14888\",\n \"CVE-2019-14892\",\n \"CVE-2019-14893\",\n \"CVE-2019-16335\",\n \"CVE-2019-16869\",\n \"CVE-2019-16942\",\n \"CVE-2019-16943\",\n \"CVE-2019-17267\",\n \"CVE-2019-17531\"\n );\n script_xref(name:\"RHSA\", value:\"2020:0161\");\n script_xref(name:\"IAVA\", value:\"2020-A-0140\");\n script_xref(name:\"IAVA\", value:\"2020-A-0328\");\n\n script_name(english:\"RHEL 8 : Red Hat JBoss Enterprise Application Platform 7.2.6 on RHEL 8 (RHSA-2020:0161)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Red Hat host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as\nreferenced in the RHSA-2020:0161 advisory.\n\n - hibernate-validator: safeHTML validator allows XSS (CVE-2019-10219)\n\n - jackson-databind: Serialization gadgets in com.zaxxer.hikari.HikariConfig (CVE-2019-14540)\n\n - JBoss EAP: Vault system property security attribute value is revealed on CLI 'reload' command\n (CVE-2019-14885)\n\n - undertow: possible Denial Of Service (DOS) in Undertow HTTP server listening on HTTPS (CVE-2019-14888)\n\n - jackson-databind: Serialization gadgets in classes of the commons-configuration package (CVE-2019-14892)\n\n - jackson-databind: Serialization gadgets in classes of the xalan package (CVE-2019-14893)\n\n - jackson-databind: Serialization gadgets in com.zaxxer.hikari.HikariDataSource (CVE-2019-16335)\n\n - netty: HTTP request smuggling by mishandled whitespace before the colon in HTTP headers (CVE-2019-16869)\n\n - jackson-databind: Serialization gadgets in org.apache.commons.dbcp.datasources.* (CVE-2019-16942)\n\n - jackson-databind: Serialization gadgets in com.p6spy.engine.spy.P6DataSource (CVE-2019-16943)\n\n - jackson-databind: Serialization gadgets in classes of the ehcache package (CVE-2019-17267)\n\n - jackson-databind: Serialization gadgets in org.apache.log4j.receivers.db.* (CVE-2019-17531)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2019-10219\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2019-14540\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2019-14885\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2019-14888\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2019-14892\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2019-14893\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2019-16335\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2019-16869\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2019-16942\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2019-16943\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2019-17267\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2019-17531\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/errata/RHSA-2020:0161\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1738673\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1755831\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1755849\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1758167\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1758171\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1758182\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1758187\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1758191\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1758619\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1770615\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1772464\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1775293\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-17267\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(20, 79, 200, 400, 444, 502, 532);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/09/15\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/01/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/01/22\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:8\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-apache-cxf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-apache-cxf-rt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-apache-cxf-services\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-apache-cxf-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-glassfish-jsf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-hal-console\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-hibernate\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-core\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-entitymanager\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-envers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-java8\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-validator\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-validator-cdi\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-annotations\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-core\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-databind\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-dataformats-binary\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-dataformats-text\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-datatype-jdk8\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-datatype-jsr310\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-jaxrs-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-jaxrs-json-provider\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-module-jaxb-annotations\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-modules-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-modules-java8\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jberet\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jberet-core\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap6.4-to-eap7.2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap7.0-to-eap7.2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap7.1-to-eap7.2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap7.2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly10.0-to-eap7.2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly10.1-to-eap7.2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly11.0-to-eap7.2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly12.0-to-eap7.2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly8.2-to-eap7.2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly9.0-to-eap7.2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-netty\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-netty-all\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-picketlink-bindings\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-picketlink-wildfly8\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-undertow\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-undertow-jastow\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-weld-core\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-weld-core-impl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-weld-core-jsf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-weld-ejb\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-weld-jta\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-weld-probe-core\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-weld-web\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-http-client-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-http-ejb-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-http-naming-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-http-transaction-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-javadocs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-modules\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-transaction-client\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"redhat_repos.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude('rpm.inc');\ninclude('rhel.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar os_release = get_kb_item('Host/RedHat/release');\nif (isnull(os_release) || 'Red Hat' >!< os_release) audit(AUDIT_OS_NOT, 'Red Hat');\nvar os_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:os_release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');\nos_ver = os_ver[1];\nif (!rhel_check_release(operator: 'ge', os_version: os_ver, rhel_version: '8')) audit(AUDIT_OS_NOT, 'Red Hat 8.x', 'Red Hat ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);\n\nvar constraints = [\n {\n 'repo_relative_urls': [\n 'content/dist/layered/rhel8/x86_64/jbeap/7.2/debug',\n 'content/dist/layered/rhel8/x86_64/jbeap/7.2/os',\n 'content/dist/layered/rhel8/x86_64/jbeap/7.2/source/SRPMS'\n ],\n 'pkgs': [\n {'reference':'eap7-apache-cxf-3.2.11-1.redhat_00001.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-apache-cxf-rt-3.2.11-1.redhat_00001.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-apache-cxf-services-3.2.11-1.redhat_00001.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-apache-cxf-tools-3.2.11-1.redhat_00001.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-glassfish-jsf-2.3.5-6.SP3_redhat_00004.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-hal-console-3.0.19-1.Final_redhat_00001.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-hibernate-5.3.14-1.Final_redhat_00001.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-hibernate-core-5.3.14-1.Final_redhat_00001.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-hibernate-entitymanager-5.3.14-1.Final_redhat_00001.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-hibernate-envers-5.3.14-1.Final_redhat_00001.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-hibernate-java8-5.3.14-1.Final_redhat_00001.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-hibernate-validator-6.0.18-1.Final_redhat_00001.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-hibernate-validator-cdi-6.0.18-1.Final_redhat_00001.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-jackson-annotations-2.9.10-1.redhat_00003.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-jackson-core-2.9.10-1.redhat_00003.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-jackson-databind-2.9.10.1-1.redhat_00001.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-jackson-dataformats-binary-2.9.10-1.redhat_00003.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-jackson-dataformats-text-2.9.10-1.redhat_00003.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-jackson-datatype-jdk8-2.9.10-1.redhat_00003.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-jackson-datatype-jsr310-2.9.10-1.redhat_00003.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-jackson-jaxrs-base-2.9.10-1.redhat_00003.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-jackson-jaxrs-json-provider-2.9.10-1.redhat_00003.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-jackson-module-jaxb-annotations-2.9.10-2.redhat_00003.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-jackson-modules-base-2.9.10-2.redhat_00003.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-jackson-modules-java8-2.9.10-1.redhat_00003.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-jberet-1.3.5-1.Final_redhat_00001.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-jberet-core-1.3.5-1.Final_redhat_00001.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-jboss-ejb-client-4.0.27-1.Final_redhat_00001.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-jboss-jsf-api_2.3_spec-2.3.5-3.SP2_redhat_00001.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-jboss-server-migration-1.3.1-7.Final_redhat_00007.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-jboss-server-migration-cli-1.3.1-7.Final_redhat_00007.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-jboss-server-migration-core-1.3.1-7.Final_redhat_00007.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-jboss-server-migration-eap6.4-1.3.1-7.Final_redhat_00007.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-jboss-server-migration-eap6.4-to-eap7.2-1.3.1-7.Final_redhat_00007.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-jboss-server-migration-eap7.0-1.3.1-7.Final_redhat_00007.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-jboss-server-migration-eap7.0-to-eap7.2-1.3.1-7.Final_redhat_00007.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-jboss-server-migration-eap7.1-1.3.1-7.Final_redhat_00007.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-jboss-server-migration-eap7.1-to-eap7.2-1.3.1-7.Final_redhat_00007.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-jboss-server-migration-eap7.2-1.3.1-7.Final_redhat_00007.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-jboss-server-migration-wildfly10.0-1.3.1-7.Final_redhat_00007.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-jboss-server-migration-wildfly10.0-to-eap7.2-1.3.1-7.Final_redhat_00007.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-jboss-server-migration-wildfly10.1-1.3.1-7.Final_redhat_00007.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-jboss-server-migration-wildfly10.1-to-eap7.2-1.3.1-7.Final_redhat_00007.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-jboss-server-migration-wildfly11.0-1.3.1-7.Final_redhat_00007.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-jboss-server-migration-wildfly11.0-to-eap7.2-1.3.1-7.Final_redhat_00007.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-jboss-server-migration-wildfly12.0-1.3.1-7.Final_redhat_00007.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-jboss-server-migration-wildfly12.0-to-eap7.2-1.3.1-7.Final_redhat_00007.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-jboss-server-migration-wildfly13.0-server-1.3.1-7.Final_redhat_00007.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-jboss-server-migration-wildfly14.0-server-1.3.1-7.Final_redhat_00007.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-jboss-server-migration-wildfly8.2-1.3.1-7.Final_redhat_00007.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-jboss-server-migration-wildfly8.2-to-eap7.2-1.3.1-7.Final_redhat_00007.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-jboss-server-migration-wildfly9.0-1.3.1-7.Final_redhat_00007.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-jboss-server-migration-wildfly9.0-to-eap7.2-1.3.1-7.Final_redhat_00007.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-jboss-xnio-base-3.7.6-3.SP2_redhat_00001.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-netty-4.1.42-1.Final_redhat_00001.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-netty-all-4.1.42-1.Final_redhat_00001.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-picketlink-bindings-2.5.5-21.SP12_redhat_00010.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-picketlink-wildfly8-2.5.5-21.SP12_redhat_00010.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-undertow-2.0.28-2.SP1_redhat_00001.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-undertow-jastow-2.0.8-1.Final_redhat_00001.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-weld-core-3.0.6-3.Final_redhat_00003.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-weld-core-impl-3.0.6-3.Final_redhat_00003.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-weld-core-jsf-3.0.6-3.Final_redhat_00003.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-weld-ejb-3.0.6-3.Final_redhat_00003.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-weld-jta-3.0.6-3.Final_redhat_00003.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-weld-probe-core-3.0.6-3.Final_redhat_00003.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-weld-web-3.0.6-3.Final_redhat_00003.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-wildfly-7.2.6-5.GA_redhat_00001.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-wildfly-http-client-common-1.0.18-2.Final_redhat_00001.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-wildfly-http-ejb-client-1.0.18-2.Final_redhat_00001.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-wildfly-http-naming-client-1.0.18-2.Final_redhat_00001.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-wildfly-http-transaction-client-1.0.18-2.Final_redhat_00001.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-wildfly-javadocs-7.2.6-5.GA_redhat_00001.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-wildfly-modules-7.2.6-5.GA_redhat_00001.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-wildfly-transaction-client-1.1.8-1.Final_redhat_00001.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'}\n ]\n }\n];\n\nvar applicable_repo_urls = rhel_determine_applicable_repository_urls(constraints:constraints);\nif(applicable_repo_urls == RHEL_REPOS_NO_OVERLAP_MESSAGE) exit(0, RHEL_REPO_NOT_ENABLED);\n\nvar flag = 0;\nforeach var constraint_array ( constraints ) {\n var repo_relative_urls = NULL;\n if (!empty_or_null(constraint_array['repo_relative_urls'])) repo_relative_urls = constraint_array['repo_relative_urls'];\n foreach var pkg ( constraint_array['pkgs'] ) {\n var reference = NULL;\n var _release = NULL;\n var sp = NULL;\n var _cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n var exists_check = NULL;\n if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];\n if (!empty_or_null(pkg['release'])) _release = 'RHEL' + pkg['release'];\n if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];\n if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];\n if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];\n if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];\n if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];\n if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];\n if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];\n if (reference &&\n _release &&\n rhel_decide_repo_relative_url_check(required_repo_url_list:repo_relative_urls) &&\n (applicable_repo_urls || (!exists_check || rpm_exists(release:_release, rpm:exists_check))) &&\n rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n var extra = NULL;\n if (empty_or_null(applicable_repo_urls)) extra = rpm_report_get() + redhat_report_repo_caveat();\n else extra = rpm_report_get() + redhat_report_package_caveat();\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : extra\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'eap7-apache-cxf / eap7-apache-cxf-rt / eap7-apache-cxf-services / etc');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:55:37", "description": "The remote Redhat Enterprise Linux 6 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:0159 advisory.\n\n - hibernate-validator: safeHTML validator allows XSS (CVE-2019-10219)\n\n - jackson-databind: Serialization gadgets in com.zaxxer.hikari.HikariConfig (CVE-2019-14540)\n\n - JBoss EAP: Vault system property security attribute value is revealed on CLI 'reload' command (CVE-2019-14885)\n\n - undertow: possible Denial Of Service (DOS) in Undertow HTTP server listening on HTTPS (CVE-2019-14888)\n\n - jackson-databind: Serialization gadgets in classes of the commons-configuration package (CVE-2019-14892)\n\n - jackson-databind: Serialization gadgets in classes of the xalan package (CVE-2019-14893)\n\n - jackson-databind: Serialization gadgets in com.zaxxer.hikari.HikariDataSource (CVE-2019-16335)\n\n - netty: HTTP request smuggling by mishandled whitespace before the colon in HTTP headers (CVE-2019-16869)\n\n - jackson-databind: Serialization gadgets in org.apache.commons.dbcp.datasources.* (CVE-2019-16942)\n\n - jackson-databind: Serialization gadgets in com.p6spy.engine.spy.P6DataSource (CVE-2019-16943)\n\n - jackson-databind: Serialization gadgets in classes of the ehcache package (CVE-2019-17267)\n\n - jackson-databind: Serialization gadgets in org.apache.log4j.receivers.db.* (CVE-2019-17531)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2020-01-22T00:00:00", "type": "nessus", "title": "RHEL 6 : Red Hat JBoss Enterprise Application Platform 7.2.6 on RHEL 6 (RHSA-2020:0159)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-10219", "CVE-2019-14540", "CVE-2019-14885", "CVE-2019-14888", "CVE-2019-14892", "CVE-2019-14893", "CVE-2019-16335", "CVE-2019-16869", "CVE-2019-16942", "CVE-2019-16943", "CVE-2019-17267", "CVE-2019-17531"], "modified": "2023-01-23T00:00:00", "cpe": ["cpe:/o:redhat:enterprise_linux:6", "p-cpe:/a:redhat:enterprise_linux:eap7-apache-cxf", "p-cpe:/a:redhat:enterprise_linux:eap7-apache-cxf-rt", "p-cpe:/a:redhat:enterprise_linux:eap7-apache-cxf-services", "p-cpe:/a:redhat:enterprise_linux:eap7-apache-cxf-tools", "p-cpe:/a:redhat:enterprise_linux:eap7-glassfish-jsf", "p-cpe:/a:redhat:enterprise_linux:eap7-hal-console", "p-cpe:/a:redhat:enterprise_linux:eap7-hibernate", "p-cpe:/a:redhat:enterprise_linux:eap7-jackson-dataformats-text", "p-cpe:/a:redhat:enterprise_linux:eap7-jackson-datatype-jdk8", "p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-core", "p-cpe:/a:redhat:enterprise_linux:eap7-jackson-datatype-jsr310", "p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-entitymanager", "p-cpe:/a:redhat:enterprise_linux:eap7-jackson-jaxrs-base", "p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-envers", "p-cpe:/a:redhat:enterprise_linux:eap7-jackson-jaxrs-json-provider", "p-cpe:/a:redhat:enterprise_linux:eap7-jackson-module-jaxb-annotations", "p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-java8", "p-cpe:/a:redhat:enterprise_linux:eap7-jackson-modules-base", "p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-validator", "p-cpe:/a:redhat:enterprise_linux:eap7-jackson-modules-java8", "p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-validator-cdi", "p-cpe:/a:redhat:enterprise_linux:eap7-jberet", "p-cpe:/a:redhat:enterprise_linux:eap7-jberet-core", "p-cpe:/a:redhat:enterprise_linux:eap7-jackson-annotations", "p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap6.4-to-eap7.2", "p-cpe:/a:redhat:enterprise_linux:eap7-jackson-core", "p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap7.0-to-eap7.2", "p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap7.1-to-eap7.2", "p-cpe:/a:redhat:enterprise_linux:eap7-jackson-databind", "p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap7.2", "p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly10.0-to-eap7.2", "p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly10.1-to-eap7.2", "p-cpe:/a:redhat:enterprise_linux:eap7-jackson-dataformats-binary", "p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly11.0-to-eap7.2", "p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly12.0-to-eap7.2", "p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly8.2-to-eap7.2", "p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly9.0-to-eap7.2", "p-cpe:/a:redhat:enterprise_linux:eap7-netty", "p-cpe:/a:redhat:enterprise_linux:eap7-netty-all", "p-cpe:/a:redhat:enterprise_linux:eap7-picketlink-bindings", "p-cpe:/a:redhat:enterprise_linux:eap7-picketlink-wildfly8", "p-cpe:/a:redhat:enterprise_linux:eap7-undertow", "p-cpe:/a:redhat:enterprise_linux:eap7-undertow-jastow", "p-cpe:/a:redhat:enterprise_linux:eap7-weld-core", "p-cpe:/a:redhat:enterprise_linux:eap7-weld-core-impl", "p-cpe:/a:redhat:enterprise_linux:eap7-weld-core-jsf", "p-cpe:/a:redhat:enterprise_linux:eap7-weld-ejb", "p-cpe:/a:redhat:enterprise_linux:eap7-weld-jta", "p-cpe:/a:redhat:enterprise_linux:eap7-weld-probe-core", "p-cpe:/a:redhat:enterprise_linux:eap7-weld-web", "p-cpe:/a:redhat:enterprise_linux:eap7-wildfly", "p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-http-client-common", "p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-http-ejb-client", "p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-http-naming-client", "p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-http-transaction-client", "p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-javadocs", "p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-modules", "p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-transaction-client"], "id": "REDHAT-RHSA-2020-0159.NASL", "href": "https://www.tenable.com/plugins/nessus/133156", "sourceData": "##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2020:0159. The text\n# itself is copyright (C) Red Hat, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(133156);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/01/23\");\n\n script_cve_id(\n \"CVE-2019-10219\",\n \"CVE-2019-14540\",\n \"CVE-2019-14885\",\n \"CVE-2019-14888\",\n \"CVE-2019-14892\",\n \"CVE-2019-14893\",\n \"CVE-2019-16335\",\n \"CVE-2019-16869\",\n \"CVE-2019-16942\",\n \"CVE-2019-16943\",\n \"CVE-2019-17267\",\n \"CVE-2019-17531\"\n );\n script_xref(name:\"RHSA\", value:\"2020:0159\");\n script_xref(name:\"IAVA\", value:\"2020-A-0140\");\n script_xref(name:\"IAVA\", value:\"2020-A-0328\");\n\n script_name(english:\"RHEL 6 : Red Hat JBoss Enterprise Application Platform 7.2.6 on RHEL 6 (RHSA-2020:0159)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Red Hat host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Redhat Enterprise Linux 6 host has packages installed that are affected by multiple vulnerabilities as\nreferenced in the RHSA-2020:0159 advisory.\n\n - hibernate-validator: safeHTML validator allows XSS (CVE-2019-10219)\n\n - jackson-databind: Serialization gadgets in com.zaxxer.hikari.HikariConfig (CVE-2019-14540)\n\n - JBoss EAP: Vault system property security attribute value is revealed on CLI 'reload' command\n (CVE-2019-14885)\n\n - undertow: possible Denial Of Service (DOS) in Undertow HTTP server listening on HTTPS (CVE-2019-14888)\n\n - jackson-databind: Serialization gadgets in classes of the commons-configuration package (CVE-2019-14892)\n\n - jackson-databind: Serialization gadgets in classes of the xalan package (CVE-2019-14893)\n\n - jackson-databind: Serialization gadgets in com.zaxxer.hikari.HikariDataSource (CVE-2019-16335)\n\n - netty: HTTP request smuggling by mishandled whitespace before the colon in HTTP headers (CVE-2019-16869)\n\n - jackson-databind: Serialization gadgets in org.apache.commons.dbcp.datasources.* (CVE-2019-16942)\n\n - jackson-databind: Serialization gadgets in com.p6spy.engine.spy.P6DataSource (CVE-2019-16943)\n\n - jackson-databind: Serialization gadgets in classes of the ehcache package (CVE-2019-17267)\n\n - jackson-databind: Serialization gadgets in org.apache.log4j.receivers.db.* (CVE-2019-17531)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2019-10219\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2019-14540\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2019-14885\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2019-14888\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2019-14892\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2019-14893\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2019-16335\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2019-16869\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2019-16942\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2019-16943\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2019-17267\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2019-17531\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/errata/RHSA-2020:0159\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1738673\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1755831\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1755849\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1758167\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1758171\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1758182\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1758187\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1758191\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1758619\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1770615\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1772464\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1775293\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-17267\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(20, 79, 200, 400, 444, 502, 532);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/09/15\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/01/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/01/22\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-apache-cxf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-apache-cxf-rt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-apache-cxf-services\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-apache-cxf-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-glassfish-jsf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-hal-console\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-hibernate\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-core\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-entitymanager\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-envers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-java8\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-validator\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-validator-cdi\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-annotations\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-core\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-databind\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-dataformats-binary\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-dataformats-text\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-datatype-jdk8\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-datatype-jsr310\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-jaxrs-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-jaxrs-json-provider\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-module-jaxb-annotations\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-modules-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-modules-java8\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jberet\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jberet-core\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap6.4-to-eap7.2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap7.0-to-eap7.2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap7.1-to-eap7.2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap7.2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly10.0-to-eap7.2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly10.1-to-eap7.2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly11.0-to-eap7.2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly12.0-to-eap7.2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly8.2-to-eap7.2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly9.0-to-eap7.2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-netty\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-netty-all\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-picketlink-bindings\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-picketlink-wildfly8\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-undertow\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-undertow-jastow\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-weld-core\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-weld-core-impl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-weld-core-jsf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-weld-ejb\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-weld-jta\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-weld-probe-core\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-weld-web\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-http-client-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-http-ejb-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-http-naming-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-http-transaction-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-javadocs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-modules\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-transaction-client\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"redhat_repos.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude('rpm.inc');\ninclude('rhel.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar os_release = get_kb_item('Host/RedHat/release');\nif (isnull(os_release) || 'Red Hat' >!< os_release) audit(AUDIT_OS_NOT, 'Red Hat');\nvar os_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:os_release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');\nos_ver = os_ver[1];\nif (!rhel_check_release(operator: 'ge', os_version: os_ver, rhel_version: '6')) audit(AUDIT_OS_NOT, 'Red Hat 6.x', 'Red Hat ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);\n\nvar constraints = [\n {\n 'repo_relative_urls': [\n 'content/dist/rhel/server/6/6Server/x86_64/jbeap/7.2/debug',\n 'content/dist/rhel/server/6/6Server/x86_64/jbeap/7.2/os',\n 'content/dist/rhel/server/6/6Server/x86_64/jbeap/7.2/source/SRPMS'\n ],\n 'pkgs': [\n {'reference':'eap7-apache-cxf-3.2.11-1.redhat_00001.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-apache-cxf-rt-3.2.11-1.redhat_00001.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-apache-cxf-services-3.2.11-1.redhat_00001.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-apache-cxf-tools-3.2.11-1.redhat_00001.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-glassfish-jsf-2.3.5-6.SP3_redhat_00004.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-hal-console-3.0.19-1.Final_redhat_00001.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-hibernate-5.3.14-1.Final_redhat_00001.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-hibernate-core-5.3.14-1.Final_redhat_00001.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-hibernate-entitymanager-5.3.14-1.Final_redhat_00001.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-hibernate-envers-5.3.14-1.Final_redhat_00001.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-hibernate-java8-5.3.14-1.Final_redhat_00001.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-hibernate-validator-6.0.18-1.Final_redhat_00001.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-hibernate-validator-cdi-6.0.18-1.Final_redhat_00001.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-jackson-annotations-2.9.10-1.redhat_00003.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-jackson-core-2.9.10-1.redhat_00003.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-jackson-databind-2.9.10.1-1.redhat_00001.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-jackson-dataformats-binary-2.9.10-1.redhat_00003.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-jackson-dataformats-text-2.9.10-1.redhat_00003.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-jackson-datatype-jdk8-2.9.10-1.redhat_00003.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-jackson-datatype-jsr310-2.9.10-1.redhat_00003.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-jackson-jaxrs-base-2.9.10-1.redhat_00003.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-jackson-jaxrs-json-provider-2.9.10-1.redhat_00003.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-jackson-module-jaxb-annotations-2.9.10-2.redhat_00003.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-jackson-modules-base-2.9.10-2.redhat_00003.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-jackson-modules-java8-2.9.10-1.redhat_00003.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-jberet-1.3.5-1.Final_redhat_00001.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-jberet-core-1.3.5-1.Final_redhat_00001.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-jboss-ejb-client-4.0.27-1.Final_redhat_00001.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-jboss-jsf-api_2.3_spec-2.3.5-3.SP2_redhat_00001.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-jboss-server-migration-1.3.1-7.Final_redhat_00007.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-jboss-server-migration-cli-1.3.1-7.Final_redhat_00007.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-jboss-server-migration-core-1.3.1-7.Final_redhat_00007.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-jboss-server-migration-eap6.4-1.3.1-7.Final_redhat_00007.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-jboss-server-migration-eap6.4-to-eap7.2-1.3.1-7.Final_redhat_00007.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-jboss-server-migration-eap7.0-1.3.1-7.Final_redhat_00007.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-jboss-server-migration-eap7.0-to-eap7.2-1.3.1-7.Final_redhat_00007.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-jboss-server-migration-eap7.1-1.3.1-7.Final_redhat_00007.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-jboss-server-migration-eap7.1-to-eap7.2-1.3.1-7.Final_redhat_00007.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-jboss-server-migration-eap7.2-1.3.1-7.Final_redhat_00007.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-jboss-server-migration-wildfly10.0-1.3.1-7.Final_redhat_00007.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-jboss-server-migration-wildfly10.0-to-eap7.2-1.3.1-7.Final_redhat_00007.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-jboss-server-migration-wildfly10.1-1.3.1-7.Final_redhat_00007.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-jboss-server-migration-wildfly10.1-to-eap7.2-1.3.1-7.Final_redhat_00007.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-jboss-server-migration-wildfly11.0-1.3.1-7.Final_redhat_00007.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-jboss-server-migration-wildfly11.0-to-eap7.2-1.3.1-7.Final_redhat_00007.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-jboss-server-migration-wildfly12.0-1.3.1-7.Final_redhat_00007.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-jboss-server-migration-wildfly12.0-to-eap7.2-1.3.1-7.Final_redhat_00007.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-jboss-server-migration-wildfly13.0-server-1.3.1-7.Final_redhat_00007.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-jboss-server-migration-wildfly14.0-server-1.3.1-7.Final_redhat_00007.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-jboss-server-migration-wildfly8.2-1.3.1-7.Final_redhat_00007.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-jboss-server-migration-wildfly8.2-to-eap7.2-1.3.1-7.Final_redhat_00007.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-jboss-server-migration-wildfly9.0-1.3.1-7.Final_redhat_00007.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-jboss-server-migration-wildfly9.0-to-eap7.2-1.3.1-7.Final_redhat_00007.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-jboss-xnio-base-3.7.6-3.SP2_redhat_00001.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-netty-4.1.42-1.Final_redhat_00001.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-netty-all-4.1.42-1.Final_redhat_00001.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-picketlink-bindings-2.5.5-21.SP12_redhat_00010.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-picketlink-wildfly8-2.5.5-21.SP12_redhat_00010.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-undertow-2.0.28-2.SP1_redhat_00001.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-undertow-jastow-2.0.8-1.Final_redhat_00001.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-weld-core-3.0.6-3.Final_redhat_00003.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-weld-core-impl-3.0.6-3.Final_redhat_00003.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-weld-core-jsf-3.0.6-3.Final_redhat_00003.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-weld-ejb-3.0.6-3.Final_redhat_00003.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-weld-jta-3.0.6-3.Final_redhat_00003.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-weld-probe-core-3.0.6-3.Final_redhat_00003.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-weld-web-3.0.6-3.Final_redhat_00003.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-wildfly-7.2.6-5.GA_redhat_00001.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-wildfly-http-client-common-1.0.18-2.Final_redhat_00001.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-wildfly-http-ejb-client-1.0.18-2.Final_redhat_00001.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-wildfly-http-naming-client-1.0.18-2.Final_redhat_00001.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-wildfly-http-transaction-client-1.0.18-2.Final_redhat_00001.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-wildfly-javadocs-7.2.6-5.GA_redhat_00001.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-wildfly-modules-7.2.6-5.GA_redhat_00001.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-wildfly-transaction-client-1.1.8-1.Final_redhat_00001.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'}\n ]\n }\n];\n\nvar applicable_repo_urls = rhel_determine_applicable_repository_urls(constraints:constraints);\nif(applicable_repo_urls == RHEL_REPOS_NO_OVERLAP_MESSAGE) exit(0, RHEL_REPO_NOT_ENABLED);\n\nvar flag = 0;\nforeach var constraint_array ( constraints ) {\n var repo_relative_urls = NULL;\n if (!empty_or_null(constraint_array['repo_relative_urls'])) repo_relative_urls = constraint_array['repo_relative_urls'];\n foreach var pkg ( constraint_array['pkgs'] ) {\n var reference = NULL;\n var _release = NULL;\n var sp = NULL;\n var _cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n var exists_check = NULL;\n if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];\n if (!empty_or_null(pkg['release'])) _release = 'RHEL' + pkg['release'];\n if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];\n if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];\n if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];\n if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];\n if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];\n if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];\n if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];\n if (reference &&\n _release &&\n rhel_decide_repo_relative_url_check(required_repo_url_list:repo_relative_urls) &&\n (applicable_repo_urls || (!exists_check || rpm_exists(release:_release, rpm:exists_check))) &&\n rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n var extra = NULL;\n if (empty_or_null(applicable_repo_urls)) extra = rpm_report_get() + redhat_report_repo_caveat();\n else extra = rpm_report_get() + redhat_report_package_caveat();\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : extra\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'eap7-apache-cxf / eap7-apache-cxf-rt / eap7-apache-cxf-services / etc');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:55:28", "description": "The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:0160 advisory.\n\n - hibernate-validator: safeHTML validator allows XSS (CVE-2019-10219)\n\n - jackson-databind: Serialization gadgets in com.zaxxer.hikari.HikariConfig (CVE-2019-14540)\n\n - JBoss EAP: Vault system property security attribute value is revealed on CLI 'reload' command (CVE-2019-14885)\n\n - undertow: possible Denial Of Service (DOS) in Undertow HTTP server listening on HTTPS (CVE-2019-14888)\n\n - jackson-databind: Serialization gadgets in classes of the commons-configuration package (CVE-2019-14892)\n\n - jackson-databind: Serialization gadgets in classes of the xalan package (CVE-2019-14893)\n\n - jackson-databind: Serialization gadgets in com.zaxxer.hikari.HikariDataSource (CVE-2019-16335)\n\n - netty: HTTP request smuggling by mishandled whitespace before the colon in HTTP headers (CVE-2019-16869)\n\n - jackson-databind: Serialization gadgets in org.apache.commons.dbcp.datasources.* (CVE-2019-16942)\n\n - jackson-databind: Serialization gadgets in com.p6spy.engine.spy.P6DataSource (CVE-2019-16943)\n\n - jackson-databind: Serialization gadgets in classes of the ehcache package (CVE-2019-17267)\n\n - jackson-databind: Serialization gadgets in org.apache.log4j.receivers.db.* (CVE-2019-17531)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2020-01-22T00:00:00", "type": "nessus", "title": "RHEL 7 : Red Hat JBoss Enterprise Application Platform 7.2.6 on RHEL 7 (RHSA-2020:0160)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-10219", "CVE-2019-14540", "CVE-2019-14885", "CVE-2019-14888", "CVE-2019-14892", "CVE-2019-14893", "CVE-2019-16335", "CVE-2019-16869", "CVE-2019-16942", "CVE-2019-16943", "CVE-2019-17267", "CVE-2019-17531"], "modified": "2023-01-23T00:00:00", "cpe": ["cpe:/o:redhat:enterprise_linux:7", "p-cpe:/a:redhat:enterprise_linux:eap7-apache-cxf", "p-cpe:/a:redhat:enterprise_linux:eap7-apache-cxf-rt", "p-cpe:/a:redhat:enterprise_linux:eap7-apache-cxf-services", "p-cpe:/a:redhat:enterprise_linux:eap7-apache-cxf-tools", "p-cpe:/a:redhat:enterprise_linux:eap7-glassfish-jsf", "p-cpe:/a:redhat:enterprise_linux:eap7-hal-console", "p-cpe:/a:redhat:enterprise_linux:eap7-hibernate", "p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-core", "p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-entitymanager", "p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-envers", "p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-java8", "p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-validator", "p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-validator-cdi", "p-cpe:/a:redhat:enterprise_linux:eap7-jackson-annotations", "p-cpe:/a:redhat:enterprise_linux:eap7-jackson-core", "p-cpe:/a:redhat:enterprise_linux:eap7-jackson-databind", "p-cpe:/a:redhat:enterprise_linux:eap7-jackson-dataformats-binary", "p-cpe:/a:redhat:enterprise_linux:eap7-jackson-dataformats-text", "p-cpe:/a:redhat:enterprise_linux:eap7-jackson-datatype-jdk8", "p-cpe:/a:redhat:enterprise_linux:eap7-jackson-datatype-jsr310", "p-cpe:/a:redhat:enterprise_linux:eap7-jackson-jaxrs-base", "p-cpe:/a:redhat:enterprise_linux:eap7-jackson-jaxrs-json-provider", "p-cpe:/a:redhat:enterprise_linux:eap7-jackson-module-jaxb-annotations", "p-cpe:/a:redhat:enterprise_linux:eap7-jackson-modules-base", "p-cpe:/a:redhat:enterprise_linux:eap7-jackson-modules-java8", "p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap7.1-to-eap7.2", "p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap7.2", "p-cpe:/a:redhat:enterprise_linux:eap7-jberet", "p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly10.0-to-eap7.2", "p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly10.1-to-eap7.2", "p-cpe:/a:redhat:enterprise_linux:eap7-jberet-core", "p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly11.0-to-eap7.2", "p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap6.4-to-eap7.2", "p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly12.0-to-eap7.2", "p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly8.2-to-eap7.2", "p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap7.0-to-eap7.2", "p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly9.0-to-eap7.2", "p-cpe:/a:redhat:enterprise_linux:eap7-netty", "p-cpe:/a:redhat:enterprise_linux:eap7-netty-all", "p-cpe:/a:redhat:enterprise_linux:eap7-picketlink-bindings", "p-cpe:/a:redhat:enterprise_linux:eap7-picketlink-wildfly8", "p-cpe:/a:redhat:enterprise_linux:eap7-undertow", "p-cpe:/a:redhat:enterprise_linux:eap7-undertow-jastow", "p-cpe:/a:redhat:enterprise_linux:eap7-weld-core", "p-cpe:/a:redhat:enterprise_linux:eap7-weld-core-impl", "p-cpe:/a:redhat:enterprise_linux:eap7-weld-core-jsf", "p-cpe:/a:redhat:enterprise_linux:eap7-weld-ejb", "p-cpe:/a:redhat:enterprise_linux:eap7-weld-jta", "p-cpe:/a:redhat:enterprise_linux:eap7-weld-probe-core", "p-cpe:/a:redhat:enterprise_linux:eap7-weld-web", "p-cpe:/a:redhat:enterprise_linux:eap7-wildfly", "p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-http-client-common", "p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-http-ejb-client", "p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-http-naming-client", "p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-http-transaction-client", "p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-java-jdk11", "p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-java-jdk8", "p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-javadocs", "p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-modules", "p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-transaction-client"], "id": "REDHAT-RHSA-2020-0160.NASL", "href": "https://www.tenable.com/plugins/nessus/133157", "sourceData": "##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2020:0160. The text\n# itself is copyright (C) Red Hat, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(133157);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/01/23\");\n\n script_cve_id(\n \"CVE-2019-10219\",\n \"CVE-2019-14540\",\n \"CVE-2019-14885\",\n \"CVE-2019-14888\",\n \"CVE-2019-14892\",\n \"CVE-2019-14893\",\n \"CVE-2019-16335\",\n \"CVE-2019-16869\",\n \"CVE-2019-16942\",\n \"CVE-2019-16943\",\n \"CVE-2019-17267\",\n \"CVE-2019-17531\"\n );\n script_xref(name:\"RHSA\", value:\"2020:0160\");\n script_xref(name:\"IAVA\", value:\"2020-A-0140\");\n script_xref(name:\"IAVA\", value:\"2020-A-0328\");\n\n script_name(english:\"RHEL 7 : Red Hat JBoss Enterprise Application Platform 7.2.6 on RHEL 7 (RHSA-2020:0160)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Red Hat host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as\nreferenced in the RHSA-2020:0160 advisory.\n\n - hibernate-validator: safeHTML validator allows XSS (CVE-2019-10219)\n\n - jackson-databind: Serialization gadgets in com.zaxxer.hikari.HikariConfig (CVE-2019-14540)\n\n - JBoss EAP: Vault system property security attribute value is revealed on CLI 'reload' command\n (CVE-2019-14885)\n\n - undertow: possible Denial Of Service (DOS) in Undertow HTTP server listening on HTTPS (CVE-2019-14888)\n\n - jackson-databind: Serialization gadgets in classes of the commons-configuration package (CVE-2019-14892)\n\n - jackson-databind: Serialization gadgets in classes of the xalan package (CVE-2019-14893)\n\n - jackson-databind: Serialization gadgets in com.zaxxer.hikari.HikariDataSource (CVE-2019-16335)\n\n - netty: HTTP request smuggling by mishandled whitespace before the colon in HTTP headers (CVE-2019-16869)\n\n - jackson-databind: Serialization gadgets in org.apache.commons.dbcp.datasources.* (CVE-2019-16942)\n\n - jackson-databind: Serialization gadgets in com.p6spy.engine.spy.P6DataSource (CVE-2019-16943)\n\n - jackson-databind: Serialization gadgets in classes of the ehcache package (CVE-2019-17267)\n\n - jackson-databind: Serialization gadgets in org.apache.log4j.receivers.db.* (CVE-2019-17531)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2019-10219\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2019-14540\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2019-14885\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2019-14888\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2019-14892\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2019-14893\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2019-16335\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2019-16869\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2019-16942\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2019-16943\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2019-17267\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2019-17531\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/errata/RHSA-2020:0160\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1738673\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1755831\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1755849\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1758167\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1758171\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1758182\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1758187\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1758191\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1758619\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1770615\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1772464\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1775293\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-17267\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(20, 79, 200, 400, 444, 502, 532);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/09/15\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/01/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/01/22\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-apache-cxf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-apache-cxf-rt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-apache-cxf-services\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-apache-cxf-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-glassfish-jsf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-hal-console\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-hibernate\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-core\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-entitymanager\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-envers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-java8\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-validator\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-validator-cdi\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-annotations\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-core\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-databind\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-dataformats-binary\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-dataformats-text\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-datatype-jdk8\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-datatype-jsr310\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-jaxrs-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-jaxrs-json-provider\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-module-jaxb-annotations\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-modules-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-modules-java8\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jberet\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jberet-core\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap6.4-to-eap7.2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap7.0-to-eap7.2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap7.1-to-eap7.2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap7.2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly10.0-to-eap7.2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly10.1-to-eap7.2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly11.0-to-eap7.2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly12.0-to-eap7.2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly8.2-to-eap7.2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly9.0-to-eap7.2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-netty\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-netty-all\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-picketlink-bindings\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-picketlink-wildfly8\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-undertow\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-undertow-jastow\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-weld-core\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-weld-core-impl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-weld-core-jsf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-weld-ejb\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-weld-jta\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-weld-probe-core\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-weld-web\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-http-client-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-http-ejb-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-http-naming-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-http-transaction-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-java-jdk11\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-java-jdk8\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-javadocs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-modules\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-transaction-client\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"redhat_repos.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude('rpm.inc');\ninclude('rhel.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar os_release = get_kb_item('Host/RedHat/release');\nif (isnull(os_release) || 'Red Hat' >!< os_release) audit(AUDIT_OS_NOT, 'Red Hat');\nvar os_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:os_release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');\nos_ver = os_ver[1];\nif (!rhel_check_release(operator: 'ge', os_version: os_ver, rhel_version: '7')) audit(AUDIT_OS_NOT, 'Red Hat 7.x', 'Red Hat ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);\n\nvar constraints = [\n {\n 'repo_relative_urls': [\n 'content/dist/rhel/server/7/7Server/x86_64/jbeap/7.2/debug',\n 'content/dist/rhel/server/7/7Server/x86_64/jbeap/7.2/os',\n 'content/dist/rhel/server/7/7Server/x86_64/jbeap/7.2/source/SRPMS',\n 'content/dist/rhel/server/7/7Server/x86_64/jbeap/7/debug',\n 'content/dist/rhel/server/7/7Server/x86_64/jbeap/7/os',\n 'content/dist/rhel/server/7/7Server/x86_64/jbeap/7/source/SRPMS'\n ],\n 'pkgs': [\n {'reference':'eap7-apache-cxf-3.2.11-1.redhat_00001.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-apache-cxf-rt-3.2.11-1.redhat_00001.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-apache-cxf-services-3.2.11-1.redhat_00001.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-apache-cxf-tools-3.2.11-1.redhat_00001.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-glassfish-jsf-2.3.5-6.SP3_redhat_00004.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-hal-console-3.0.19-1.Final_redhat_00001.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-hibernate-5.3.14-1.Final_redhat_00001.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-hibernate-core-5.3.14-1.Final_redhat_00001.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-hibernate-entitymanager-5.3.14-1.Final_redhat_00001.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-hibernate-envers-5.3.14-1.Final_redhat_00001.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-hibernate-java8-5.3.14-1.Final_redhat_00001.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-hibernate-validator-6.0.18-1.Final_redhat_00001.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-hibernate-validator-cdi-6.0.18-1.Final_redhat_00001.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-jackson-annotations-2.9.10-1.redhat_00003.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-jackson-core-2.9.10-1.redhat_00003.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-jackson-databind-2.9.10.1-1.redhat_00001.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-jackson-dataformats-binary-2.9.10-1.redhat_00003.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-jackson-dataformats-text-2.9.10-1.redhat_00003.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-jackson-datatype-jdk8-2.9.10-1.redhat_00003.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-jackson-datatype-jsr310-2.9.10-1.redhat_00003.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-jackson-jaxrs-base-2.9.10-1.redhat_00003.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-jackson-jaxrs-json-provider-2.9.10-1.redhat_00003.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-jackson-module-jaxb-annotations-2.9.10-2.redhat_00003.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-jackson-modules-base-2.9.10-2.redhat_00003.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-jackson-modules-java8-2.9.10-1.redhat_00003.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-jberet-1.3.5-1.Final_redhat_00001.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-jberet-core-1.3.5-1.Final_redhat_00001.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-jboss-ejb-client-4.0.27-1.Final_redhat_00001.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-jboss-jsf-api_2.3_spec-2.3.5-3.SP2_redhat_00001.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-jboss-server-migration-1.3.1-7.Final_redhat_00007.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-jboss-server-migration-cli-1.3.1-7.Final_redhat_00007.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-jboss-server-migration-core-1.3.1-7.Final_redhat_00007.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-jboss-server-migration-eap6.4-1.3.1-7.Final_redhat_00007.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-jboss-server-migration-eap6.4-to-eap7.2-1.3.1-7.Final_redhat_00007.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-jboss-server-migration-eap7.0-1.3.1-7.Final_redhat_00007.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-jboss-server-migration-eap7.0-to-eap7.2-1.3.1-7.Final_redhat_00007.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-jboss-server-migration-eap7.1-1.3.1-7.Final_redhat_00007.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-jboss-server-migration-eap7.1-to-eap7.2-1.3.1-7.Final_redhat_00007.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-jboss-server-migration-eap7.2-1.3.1-7.Final_redhat_00007.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-jboss-server-migration-wildfly10.0-1.3.1-7.Final_redhat_00007.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-jboss-server-migration-wildfly10.0-to-eap7.2-1.3.1-7.Final_redhat_00007.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-jboss-server-migration-wildfly10.1-1.3.1-7.Final_redhat_00007.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-jboss-server-migration-wildfly10.1-to-eap7.2-1.3.1-7.Final_redhat_00007.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-jboss-server-migration-wildfly11.0-1.3.1-7.Final_redhat_00007.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-jboss-server-migration-wildfly11.0-to-eap7.2-1.3.1-7.Final_redhat_00007.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-jboss-server-migration-wildfly12.0-1.3.1-7.Final_redhat_00007.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-jboss-server-migration-wildfly12.0-to-eap7.2-1.3.1-7.Final_redhat_00007.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-jboss-server-migration-wildfly13.0-server-1.3.1-7.Final_redhat_00007.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-jboss-server-migration-wildfly14.0-server-1.3.1-7.Final_redhat_00007.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-jboss-server-migration-wildfly8.2-1.3.1-7.Final_redhat_00007.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-jboss-server-migration-wildfly8.2-to-eap7.2-1.3.1-7.Final_redhat_00007.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-jboss-server-migration-wildfly9.0-1.3.1-7.Final_redhat_00007.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-jboss-server-migration-wildfly9.0-to-eap7.2-1.3.1-7.Final_redhat_00007.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-jboss-xnio-base-3.7.6-3.SP2_redhat_00001.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-netty-4.1.42-1.Final_redhat_00001.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-netty-all-4.1.42-1.Final_redhat_00001.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-picketlink-bindings-2.5.5-21.SP12_redhat_00010.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-picketlink-wildfly8-2.5.5-21.SP12_redhat_00010.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-undertow-2.0.28-2.SP1_redhat_00001.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-undertow-jastow-2.0.8-1.Final_redhat_00001.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-weld-core-3.0.6-3.Final_redhat_00003.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-weld-core-impl-3.0.6-3.Final_redhat_00003.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-weld-core-jsf-3.0.6-3.Final_redhat_00003.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-weld-ejb-3.0.6-3.Final_redhat_00003.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-weld-jta-3.0.6-3.Final_redhat_00003.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-weld-probe-core-3.0.6-3.Final_redhat_00003.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-weld-web-3.0.6-3.Final_redhat_00003.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-wildfly-7.2.6-5.GA_redhat_00001.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-wildfly-http-client-common-1.0.18-2.Final_redhat_00001.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-wildfly-http-ejb-client-1.0.18-2.Final_redhat_00001.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-wildfly-http-naming-client-1.0.18-2.Final_redhat_00001.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-wildfly-http-transaction-client-1.0.18-2.Final_redhat_00001.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-wildfly-java-jdk11-7.2.6-5.GA_redhat_00001.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-wildfly-java-jdk8-7.2.6-5.GA_redhat_00001.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-wildfly-javadocs-7.2.6-5.GA_redhat_00001.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-wildfly-modules-7.2.6-5.GA_redhat_00001.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-wildfly-transaction-client-1.1.8-1.Final_redhat_00001.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'}\n ]\n }\n];\n\nvar applicable_repo_urls = rhel_determine_applicable_repository_urls(constraints:constraints);\nif(applicable_repo_urls == RHEL_REPOS_NO_OVERLAP_MESSAGE) exit(0, RHEL_REPO_NOT_ENABLED);\n\nvar flag = 0;\nforeach var constraint_array ( constraints ) {\n var repo_relative_urls = NULL;\n if (!empty_or_null(constraint_array['repo_relative_urls'])) repo_relative_urls = constraint_array['repo_relative_urls'];\n foreach var pkg ( constraint_array['pkgs'] ) {\n var reference = NULL;\n var _release = NULL;\n var sp = NULL;\n var _cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n var exists_check = NULL;\n if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];\n if (!empty_or_null(pkg['release'])) _release = 'RHEL' + pkg['release'];\n if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];\n if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];\n if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];\n if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];\n if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];\n if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];\n if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];\n if (reference &&\n _release &&\n rhel_decide_repo_relative_url_check(required_repo_url_list:repo_relative_urls) &&\n (applicable_repo_urls || (!exists_check || rpm_exists(release:_release, rpm:exists_check))) &&\n rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n var extra = NULL;\n if (empty_or_null(applicable_repo_urls)) extra = rpm_report_get() + redhat_report_repo_caveat();\n else extra = rpm_report_get() + redhat_report_package_caveat();\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : extra\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'eap7-apache-cxf / eap7-apache-cxf-rt / eap7-apache-cxf-services / etc');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:58:58", "description": "The version of tested product installed on the remote host is prior to tested version. It is, therefore, affected by the following vulnerabilities as referenced in the April 2020 CPU advisory:\n\n - In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for an attacker to access the classloader via the class property available on all Java objects. However, this characteristic of the PropertyUtilsBean was not used by default.\n (CVE-2019-10086)\n\n - The file name encoding algorithm used internally in Apache Commons Compress 1.15 to 1.18 can get into an infinite loop when faced with specially crafted inputs. This can lead to a denial of service attack if an attacker can choose the file names inside of an archive created by Compress. (CVE-2019-12402)\n\n - A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the p6spy (3.8.6) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of com.p6spy.engine.spy.P6DataSource mishandling. (CVE-2019-16943)\n\n - Connect2id Nimbus JOSE+JWT before v7.9 can throw various uncaught exceptions while parsing a JWT, which could result in an application crash (potential information disclosure) or a potential authentication bypass. (CVE-2019-17195)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2020-04-15T00:00:00", "type": "nessus", "title": "Oracle Primavera Gateway (Apr 2020 CPU)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-10086", "CVE-2019-12402", "CVE-2019-16942", "CVE-2019-16943", "CVE-2019-17195", "CVE-2019-17531"], "modified": "2022-12-05T00:00:00", "cpe": ["cpe:/a:oracle:primavera_gateway"], "id": "ORACLE_PRIMAVERA_GATEWAY_CPU_APR_2020.NASL", "href": "https://www.tenable.com/plugins/nessus/135583", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(135583);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\n \"CVE-2019-10086\",\n \"CVE-2019-12402\",\n \"CVE-2019-16942\",\n \"CVE-2019-16943\",\n \"CVE-2019-17195\",\n \"CVE-2019-17531\"\n );\n script_xref(name:\"IAVA\", value:\"2020-A-0140-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0347-S\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0004\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0025\");\n\n script_name(english:\"Oracle Primavera Gateway (Apr 2020 CPU)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is affected by multiple vulnerabilities\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of tested product installed on the remote host is prior to tested version. It is, therefore, affected by\nthe following vulnerabilities as referenced in the April 2020 CPU advisory:\n\n - In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added which allows\n suppressing the ability for an attacker to access the classloader via the class property available on all\n Java objects. However, this characteristic of the PropertyUtilsBean was not used by default.\n (CVE-2019-10086)\n\n - The file name encoding algorithm used internally in Apache Commons Compress 1.15 to 1.18 can get into an\n infinite loop when faced with specially crafted inputs. This can lead to a denial of service attack if an\n attacker can choose the file names inside of an archive created by Compress. (CVE-2019-12402)\n\n - A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default\n Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and\n the service has the p6spy (3.8.6) jar in the classpath, and an attacker can find an RMI service endpoint\n to access, it is possible to make the service execute a malicious payload. This issue exists because of\n com.p6spy.engine.spy.P6DataSource mishandling. (CVE-2019-16943)\n\n - Connect2id Nimbus JOSE+JWT before v7.9 can throw various uncaught exceptions while parsing a JWT, which\n could result in an application crash (potential information disclosure) or a potential authentication\n bypass. (CVE-2019-17195)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.oracle.com/security-alerts/cpuapr2020.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply the appropriate patch according to the April 2020 Oracle Critical Patch Update advisory.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-16943\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/04/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/04/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/04/15\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:oracle:primavera_gateway\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"oracle_primavera_gateway.nbin\");\n script_require_keys(\"installed_sw/Oracle Primavera Gateway\");\n script_require_ports(\"Services/www\", 8006);\n\n exit(0);\n}\n\ninclude('http.inc');\ninclude('vcf.inc');\n\nget_install_count(app_name:'Oracle Primavera Gateway', exit_if_zero:TRUE);\n\nport = get_http_port(default:8006);\n\napp_info = vcf::get_app_info(app:'Oracle Primavera Gateway', port:port);\n\nvcf::check_granularity(app_info:app_info, sig_segments:2);\n\nconstraints = [\n { 'min_version' : '16.2.0',\n 'max_version' : '16.2.11',\n 'fixed_display' : 'Upgrade to the latest version or contact customer support for more information.'\n },\n { 'min_version' : '17.12.0', 'fixed_version' : '17.12.7' },\n { 'min_version' : '18.8.0', 'fixed_version' : '18.8.8.9' },\n { 'min_version' : '19.12.0', 'fixed_version' : '19.12.4' }\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-24T14:30:12", "description": "It was discovered that jackson-databind, a Java library used to parse JSON and other data formats, did not properly validate user input before attempting deserialization. This allowed an attacker providing maliciously crafted input to perform code execution, or read arbitrary files on the server.", "cvss3": {}, "published": "2019-10-07T00:00:00", "type": "nessus", "title": "Debian DSA-4542-1 : jackson-databind - security update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-12384", "CVE-2019-14439", "CVE-2019-14540", "CVE-2019-16335", "CVE-2019-16942", "CVE-2019-16943"], "modified": "2019-12-23T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:jackson-databind", "cpe:/o:debian:debian_linux:10.0", "cpe:/o:debian:debian_linux:9.0"], "id": "DEBIAN_DSA-4542.NASL", "href": "https://www.tenable.com/plugins/nessus/129597", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-4542. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(129597);\n script_version(\"1.3\");\n script_cvs_date(\"Date: 2019/12/23\");\n\n script_cve_id(\"CVE-2019-12384\", \"CVE-2019-14439\", \"CVE-2019-14540\", \"CVE-2019-16335\", \"CVE-2019-16942\", \"CVE-2019-16943\");\n script_xref(name:\"DSA\", value:\"4542\");\n\n script_name(english:\"Debian DSA-4542-1 : jackson-databind - security update\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"It was discovered that jackson-databind, a Java library used to parse\nJSON and other data formats, did not properly validate user input\nbefore attempting deserialization. This allowed an attacker providing\nmaliciously crafted input to perform code execution, or read arbitrary\nfiles on the server.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=941530\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=940498\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=933393\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930750\"\n );\n # https://security-tracker.debian.org/tracker/source-package/jackson-databind\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?61134ddf\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/stretch/jackson-databind\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/buster/jackson-databind\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2019/dsa-4542\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the jackson-databind packages.\n\nFor the oldstable distribution (stretch), these problems have been\nfixed in version 2.8.6-1+deb9u6.\n\nFor the stable distribution (buster), these problems have been fixed\nin version 2.9.8-3+deb10u1.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:jackson-databind\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:10.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:9.0\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/06/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/10/06\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/10/07\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"10.0\", prefix:\"libjackson2-databind-java\", reference:\"2.9.8-3+deb10u1\")) flag++;\nif (deb_check(release:\"10.0\", prefix:\"libjackson2-databind-java-doc\", reference:\"2.9.8-3+deb10u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"libjackson2-databind-java\", reference:\"2.8.6-1+deb9u6\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"libjackson2-databind-java-doc\", reference:\"2.8.6-1+deb9u6\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-24T14:33:25", "description": "More deserialization flaws were discovered in jackson-databind which could allow an unauthenticated user to perform remote code execution.\nThe issue was resolved by extending the blacklist and blocking more classes from polymorphic deserialization.\n\nFor Debian 8 'Jessie', these problems have been fixed in version 2.4.2-2+deb8u10.\n\nWe recommend that you upgrade your jackson-databind packages.\n\nNOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2019-12-12T00:00:00", "type": "nessus", "title": "Debian DLA-2030-1 : jackson-databind security update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-17267", "CVE-2019-17531"], "modified": "2021-01-11T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:libjackson2-databind-java", "p-cpe:/a:debian:debian_linux:libjackson2-databind-java-doc", "cpe:/o:debian:debian_linux:8.0"], "id": "DEBIAN_DLA-2030.NASL", "href": "https://www.tenable.com/plugins/nessus/131963", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory DLA-2030-1. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(131963);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2019-17267\", \"CVE-2019-17531\");\n\n script_name(english:\"Debian DLA-2030-1 : jackson-databind security update\");\n script_summary(english:\"Checks dpkg output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"More deserialization flaws were discovered in jackson-databind which\ncould allow an unauthenticated user to perform remote code execution.\nThe issue was resolved by extending the blacklist and blocking more\nclasses from polymorphic deserialization.\n\nFor Debian 8 'Jessie', these problems have been fixed in version\n2.4.2-2+deb8u10.\n\nWe recommend that you upgrade your jackson-databind packages.\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.debian.org/debian-lts-announce/2019/12/msg00013.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/jessie/jackson-databind\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Upgrade the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libjackson2-databind-java\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libjackson2-databind-java-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:8.0\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/10/07\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/12/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/12/12\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"8.0\", prefix:\"libjackson2-databind-java\", reference:\"2.4.2-2+deb8u10\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libjackson2-databind-java-doc\", reference:\"2.4.2-2+deb8u10\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-26T14:19:09", "description": "The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:1644 advisory.\n\n - jackson-databind: Serialization gadgets in com.zaxxer.hikari.HikariConfig (CVE-2019-14540)\n\n - jackson-databind: Serialization gadgets in com.zaxxer.hikari.HikariDataSource (CVE-2019-16335)\n\n - jackson-databind: Serialization gadgets in org.apache.commons.dbcp.datasources.* (CVE-2019-16942)\n\n - jackson-databind: Serialization gadgets in com.p6spy.engine.spy.P6DataSource (CVE-2019-16943)\n\n - jackson-databind: Serialization gadgets in org.apache.log4j.receivers.db.* (CVE-2019-17531)\n\n - jackson-databind: lacks certain net.sf.ehcache blocking (CVE-2019-20330)\n\n - jackson-databind: mishandles the interaction between serialization gadgets and typing which could result in remote command execution (CVE-2020-10672, CVE-2020-10673)\n\n - jackson-databind: Lacks certain xbean-reflect/JNDI blocking (CVE-2020-8840)\n\n - jackson-databind: Serialization gadgets in shaded-hikari-config (CVE-2020-9546)\n\n - jackson-databind: Serialization gadgets in ibatis-sqlmap (CVE-2020-9547)\n\n - jackson-databind: Serialization gadgets in anteros-core (CVE-2020-9548)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2020-04-28T00:00:00", "type": "nessus", "title": "RHEL 8 : pki-core:10.6 and pki-deps:10.6 (RHSA-2020:1644)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-14540", "CVE-2019-16335", "CVE-2019-16942", "CVE-2019-16943", "CVE-2019-17531", "CVE-2019-20330", "CVE-2020-10672", "CVE-2020-10673", "CVE-2020-8840", "CVE-2020-9546", "CVE-2020-9547", "CVE-2020-9548"], "modified": "2023-05-25T00:00:00", "cpe": ["cpe:/o:redhat:rhel_e4s:8.4", "cpe:/o:redhat:rhel_e4s:8.6", "cpe:/o:redhat:rhel_eus:8.2", "cpe:/o:redhat:rhel_eus:8.4", "cpe:/o:redhat:rhel_eus:8.6", "cpe:/o:redhat:rhel_tus:8.2", "cpe:/o:redhat:rhel_tus:8.4", "cpe:/o:redhat:rhel_tus:8.6", "p-cpe:/a:redhat:enterprise_linux:apache-commons-collections", "p-cpe:/a:redhat:enterprise_linux:apache-commons-lang", "p-cpe:/a:redhat:enterprise_linux:bea-stax-api", "p-cpe:/a:redhat:enterprise_linux:glassfish-fastinfoset", "p-cpe:/a:redhat:enterprise_linux:glassfish-jaxb-api", "p-cpe:/a:redhat:enterprise_linux:glassfish-jaxb-core", "p-cpe:/a:redhat:enterprise_linux:glassfish-jaxb-runtime", "p-cpe:/a:redhat:enterprise_linux:glassfish-jaxb-txw2", "p-cpe:/a:redhat:enterprise_linux:jackson-annotations", "cpe:/o:redhat:enterprise_linux:8", "cpe:/o:redhat:rhel_aus:8.2", "cpe:/o:redhat:rhel_aus:8.4", "cpe:/o:redhat:rhel_aus:8.6", "cpe:/o:redhat:rhel_e4s:8.2", "p-cpe:/a:redhat:enterprise_linux:pki-servlet-engine", "p-cpe:/a:redhat:enterprise_linux:pki-symkey", "p-cpe:/a:redhat:enterprise_linux:pki-tools", "p-cpe:/a:redhat:enterprise_linux:python-nss-doc", "p-cpe:/a:redhat:enterprise_linux:python3-nss", "p-cpe:/a:redhat:enterprise_linux:python3-pki", "p-cpe:/a:redhat:enterprise_linux:jackson-core", "p-cpe:/a:redhat:enterprise_linux:jackson-databind", "p-cpe:/a:redhat:enterprise_linux:jackson-jaxrs-json-provider", "p-cpe:/a:redhat:enterprise_linux:jackson-jaxrs-providers", "p-cpe:/a:redhat:enterprise_linux:jackson-module-jaxb-annotations", "p-cpe:/a:redhat:enterprise_linux:jakarta-commons-httpclient", "p-cpe:/a:redhat:enterprise_linux:javassist", "p-cpe:/a:redhat:enterprise_linux:javassist-javadoc", "p-cpe:/a:redhat:enterprise_linux:jss", "p-cpe:/a:redhat:enterprise_linux:jss-javadoc", "p-cpe:/a:redhat:enterprise_linux:ldapjdk", "p-cpe:/a:redhat:enterprise_linux:ldapjdk-javadoc", "p-cpe:/a:redhat:enterprise_linux:pki-base", "p-cpe:/a:redhat:enterprise_linux:pki-base-java", "p-cpe:/a:redhat:enterprise_linux:pki-ca", "p-cpe:/a:redhat:enterprise_linux:pki-kra", "p-cpe:/a:redhat:enterprise_linux:pki-server", "p-cpe:/a:redhat:enterprise_linux:pki-servlet-4.0-api", "p-cpe:/a:redhat:enterprise_linux:relaxngdatatype", "p-cpe:/a:redhat:enterprise_linux:resteasy", "p-cpe:/a:redhat:enterprise_linux:slf4j", "p-cpe:/a:redhat:enterprise_linux:slf4j-jdk14", "p-cpe:/a:redhat:enterprise_linux:stax-ex", "p-cpe:/a:redhat:enterprise_linux:tomcatjss", "p-cpe:/a:redhat:enterprise_linux:velocity", "p-cpe:/a:redhat:enterprise_linux:xalan-j2", "p-cpe:/a:redhat:enterprise_linux:xerces-j2", "p-cpe:/a:redhat:enterprise_linux:xml-commons-apis", "p-cpe:/a:redhat:enterprise_linux:xml-commons-resolver", "p-cpe:/a:redhat:enterprise_linux:xmlstreambuffer", "p-cpe:/a:redhat:enterprise_linux:xsom"], "id": "REDHAT-RHSA-2020-1644.NASL", "href": "https://www.tenable.com/plugins/nessus/136041", "sourceData": "##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2020:1644. The text\n# itself is copyright (C) Red Hat, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(136041);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/05/25\");\n\n script_cve_id(\n \"CVE-2019-14540\",\n \"CVE-2019-16335\",\n \"CVE-2019-16942\",\n \"CVE-2019-16943\",\n \"CVE-2019-17531\",\n \"CVE-2019-20330\",\n \"CVE-2020-8840\",\n \"CVE-2020-9546\",\n \"CVE-2020-9547\",\n \"CVE-2020-9548\",\n \"CVE-2020-10672\",\n \"CVE-2020-10673\"\n );\n script_xref(name:\"IAVA\", value:\"2020-A-0140\");\n script_xref(name:\"IAVA\", value:\"2020-A-0326\");\n script_xref(name:\"IAVA\", value:\"2020-A-0328\");\n script_xref(name:\"IAVA\", value:\"2020-A-0324\");\n script_xref(name:\"RHSA\", value:\"2020:1644\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0004\");\n\n script_name(english:\"RHEL 8 : pki-core:10.6 and pki-deps:10.6 (RHSA-2020:1644)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Red Hat host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as\nreferenced in the RHSA-2020:1644 advisory.\n\n - jackson-databind: Serialization gadgets in com.zaxxer.hikari.HikariConfig (CVE-2019-14540)\n\n - jackson-databind: Serialization gadgets in com.zaxxer.hikari.HikariDataSource (CVE-2019-16335)\n\n - jackson-databind: Serialization gadgets in org.apache.commons.dbcp.datasources.* (CVE-2019-16942)\n\n - jackson-databind: Serialization gadgets in com.p6spy.engine.spy.P6DataSource (CVE-2019-16943)\n\n - jackson-databind: Serialization gadgets in org.apache.log4j.receivers.db.* (CVE-2019-17531)\n\n - jackson-databind: lacks certain net.sf.ehcache blocking (CVE-2019-20330)\n\n - jackson-databind: mishandles the interaction between serialization gadgets and typing which could result\n in remote command execution (CVE-2020-10672, CVE-2020-10673)\n\n - jackson-databind: Lacks certain xbean-reflect/JNDI blocking (CVE-2020-8840)\n\n - jackson-databind: Serialization gadgets in shaded-hikari-config (CVE-2020-9546)\n\n - jackson-databind: Serialization gadgets in ibatis-sqlmap (CVE-2020-9547)\n\n - jackson-databind: Serialization gadgets in anteros-core (CVE-2020-9548)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2019-14540\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2019-16335\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2019-16942\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2019-16943\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2019-17531\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2019-20330\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-8840\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-9546\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-9547\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-9548\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-10672\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-10673\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/errata/RHSA-2020:1644\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1755831\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1755849\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1758187\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1758191\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1775293\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1793154\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1815470\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1815495\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1816330\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1816332\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1816337\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1816340\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-17531\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2020-9548\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_cwe_id(20, 96, 200, 502);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/09/15\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/04/28\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/04/28\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:8\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_aus:8.2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_aus:8.4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_aus:8.6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_e4s:8.2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_e4s:8.4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_e4s:8.6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_eus:8.2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_eus:8.4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_eus:8.6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_tus:8.2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_tus:8.4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_tus:8.6\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:apache-commons-collections\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:apache-commons-lang\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:bea-stax-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:glassfish-fastinfoset\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:glassfish-jaxb-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:glassfish-jaxb-core\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:glassfish-jaxb-runtime\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:glassfish-jaxb-txw2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jackson-annotations\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jackson-core\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jackson-databind\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jackson-jaxrs-json-provider\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jackson-jaxrs-providers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jackson-module-jaxb-annotations\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jakarta-commons-httpclient\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:javassist\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:javassist-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jss\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jss-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:ldapjdk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:ldapjdk-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:pki-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:pki-base-java\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:pki-ca\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:pki-kra\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:pki-server\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:pki-servlet-4.0-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:pki-servlet-engine\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:pki-symkey\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:pki-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python-nss-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python3-nss\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python3-pki\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:relaxngDatatype\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:resteasy\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:slf4j\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:slf4j-jdk14\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:stax-ex\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tomcatjss\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:velocity\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:xalan-j2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:xerces-j2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:xml-commons-apis\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:xml-commons-resolver\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:xmlstreambuffer\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:xsom\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"redhat_repos.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude('rpm.inc');\ninclude('rhel.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar os_release = get_kb_item('Host/RedHat/release');\nif (isnull(os_release) || 'Red Hat' >!< os_release) audit(AUDIT_OS_NOT, 'Red Hat');\nvar os_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:os_release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');\nos_ver = os_ver[1];\nif (!rhel_check_release(operator: 'ge', os_version: os_ver, rhel_version: '8')) audit(AUDIT_OS_NOT, 'Red Hat 8.x', 'Red Hat ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu && 'ppc' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);\n\nvar appstreams = {\n 'pki-deps:10.6': [\n {\n 'repo_relative_urls': [\n 'content/aus/rhel8/8.2/x86_64/appstream/debug',\n 'content/aus/rhel8/8.2/x86_64/appstream/os',\n 'content/aus/rhel8/8.2/x86_64/appstream/source/SRPMS',\n 'content/aus/rhel8/8.2/x86_64/baseos/debug',\n 'content/aus/rhel8/8.2/x86_64/baseos/os',\n 'content/aus/rhel8/8.2/x86_64/baseos/source/SRPMS',\n 'content/e4s/rhel8/8.2/ppc64le/appstream/debug',\n 'content/e4s/rhel8/8.2/ppc64le/appstream/os',\n 'content/e4s/rhel8/8.2/ppc64le/appstream/source/SRPMS',\n 'content/e4s/rhel8/8.2/ppc64le/baseos/debug',\n 'content/e4s/rhel8/8.2/ppc64le/baseos/os',\n 'content/e4s/rhel8/8.2/ppc64le/baseos/source/SRPMS',\n 'content/e4s/rhel8/8.2/ppc64le/highavailability/debug',\n 'content/e4s/rhel8/8.2/ppc64le/highavailability/os',\n 'content/e4s/rhel8/8.2/ppc64le/highavailability/source/SRPMS',\n 'content/e4s/rhel8/8.2/ppc64le/sap-solutions/debug',\n 'content/e4s/rhel8/8.2/ppc64le/sap-solutions/os',\n 'content/e4s/rhel8/8.2/ppc64le/sap-solutions/source/SRPMS',\n 'content/e4s/rhel8/8.2/ppc64le/sap/debug',\n 'content/e4s/rhel8/8.2/ppc64le/sap/os',\n 'content/e4s/rhel8/8.2/ppc64le/sap/source/SRPMS',\n 'content/e4s/rhel8/8.2/x86_64/appstream/debug',\n 'content/e4s/rhel8/8.2/x86_64/appstream/os',\n 'content/e4s/rhel8/8.2/x86_64/appstream/source/SRPMS',\n 'content/e4s/rhel8/8.2/x86_64/baseos/debug',\n 'content/e4s/rhel8/8.2/x86_64/baseos/os',\n 'content/e4s/rhel8/8.2/x86_64/baseos/source/SRPMS',\n 'content/e4s/rhel8/8.2/x86_64/highavailability/debug',\n 'content/e4s/rhel8/8.2/x86_64/highavailability/os',\n 'content/e4s/rhel8/8.2/x86_64/highavailability/source/SRPMS',\n 'content/e4s/rhel8/8.2/x86_64/sap-solutions/debug',\n 'content/e4s/rhel8/8.2/x86_64/sap-solutions/os',\n 'content/e4s/rhel8/8.2/x86_64/sap-solutions/source/SRPMS',\n 'content/e4s/rhel8/8.2/x86_64/sap/debug',\n 'content/e4s/rhel8/8.2/x86_64/sap/os',\n 'content/e4s/rhel8/8.2/x86_64/sap/source/SRPMS',\n 'content/eus/rhel8/8.2/aarch64/appstream/debug',\n 'content/eus/rhel8/8.2/aarch64/appstream/os',\n 'content/eus/rhel8/8.2/aarch64/appstream/source/SRPMS',\n 'content/eus/rhel8/8.2/aarch64/baseos/debug',\n 'content/eus/rhel8/8.2/aarch64/baseos/os',\n 'content/eus/rhel8/8.2/aarch64/baseos/source/SRPMS',\n 'content/eus/rhel8/8.2/aarch64/codeready-builder/debug',\n 'content/eus/rhel8/8.2/aarch64/codeready-builder/os',\n 'content/eus/rhel8/8.2/aarch64/codeready-builder/source/SRPMS',\n 'content/eus/rhel8/8.2/aarch64/highavailability/debug',\n 'content/eus/rhel8/8.2/aarch64/highavailability/os',\n 'content/eus/rhel8/8.2/aarch64/highavailability/source/SRPMS',\n 'content/eus/rhel8/8.2/aarch64/supplementary/debug',\n 'content/eus/rhel8/8.2/aarch64/supplementary/os',\n 'content/eus/rhel8/8.2/aarch64/supplementary/source/SRPMS',\n 'content/eus/rhel8/8.2/ppc64le/appstream/debug',\n 'content/eus/rhel8/8.2/ppc64le/appstream/os',\n 'content/eus/rhel8/8.2/ppc64le/appstream/source/SRPMS',\n 'content/eus/rhel8/8.2/ppc64le/baseos/debug',\n 'content/eus/rhel8/8.2/ppc64le/baseos/os',\n 'content/eus/rhel8/8.2/ppc64le/baseos/source/SRPMS',\n 'content/eus/rhel8/8.2/ppc64le/codeready-builder/debug',\n 'content/eus/rhel8/8.2/ppc64le/codeready-builder/os',\n 'content/eus/rhel8/8.2/ppc64le/codeready-builder/source/SRPMS',\n 'content/eus/rhel8/8.2/ppc64le/highavailability/debug',\n 'content/eus/rhel8/8.2/ppc64le/highavailability/os',\n 'content/eus/rhel8/8.2/ppc64le/highavailability/source/SRPMS',\n 'content/eus/rhel8/8.2/ppc64le/resilientstorage/debug',\n 'content/eus/rhel8/8.2/ppc64le/resilientstorage/os',\n 'content/eus/rhel8/8.2/ppc64le/resilientstorage/source/SRPMS',\n 'content/eus/rhel8/8.2/ppc64le/sap-solutions/debug',\n 'content/eus/rhel8/8.2/ppc64le/sap-solutions/os',\n 'content/eus/rhel8/8.2/ppc64le/sap-solutions/source/SRPMS',\n 'content/eus/rhel8/8.2/ppc64le/sap/debug',\n 'content/eus/rhel8/8.2/ppc64le/sap/os',\n 'content/eus/rhel8/8.2/ppc64le/sap/source/SRPMS',\n 'content/eus/rhel8/8.2/ppc64le/supplementary/debug',\n 'content/eus/rhel8/8.2/ppc64le/supplementary/os',\n 'content/eus/rhel8/8.2/ppc64le/supplementary/source/SRPMS',\n 'content/eus/rhel8/8.2/s390x/appstream/debug',\n 'content/eus/rhel8/8.2/s390x/appstream/os',\n 'content/eus/rhel8/8.2/s390x/appstream/source/SRPMS',\n 'content/eus/rhel8/8.2/s390x/baseos/debug',\n 'content/eus/rhel8/8.2/s390x/baseos/os',\n 'content/eus/rhel8/8.2/s390x/baseos/source/SRPMS',\n 'content/eus/rhel8/8.2/s390x/codeready-builder/debug',\n 'content/eus/rhel8/8.2/s390x/codeready-builder/os',\n 'content/eus/rhel8/8.2/s390x/codeready-builder/source/SRPMS',\n 'content/eus/rhel8/8.2/s390x/highavailability/debug',\n 'content/eus/rhel8/8.2/s390x/highavailability/os',\n 'content/eus/rhel8/8.2/s390x/highavailability/source/SRPMS',\n 'content/eus/rhel8/8.2/s390x/resilientstorage/debug',\n 'content/eus/rhel8/8.2/s390x/resilientstorage/os',\n 'content/eus/rhel8/8.2/s390x/resilientstorage/source/SRPMS',\n 'content/eus/rhel8/8.2/s390x/sap/debug',\n 'content/eus/rhel8/8.2/s390x/sap/os',\n 'content/eus/rhel8/8.2/s390x/sap/source/SRPMS',\n 'content/eus/rhel8/8.2/s390x/supplementary/debug',\n 'content/eus/rhel8/8.2/s390x/supplementary/os',\n 'content/eus/rhel8/8.2/s390x/supplementary/source/SRPMS',\n 'content/eus/rhel8/8.2/x86_64/appstream/debug',\n 'content/eus/rhel8/8.2/x86_64/appstream/os',\n 'content/eus/rhel8/8.2/x86_64/appstream/source/SRPMS',\n 'content/eus/rhel8/8.2/x86_64/baseos/debug',\n 'content/eus/rhel8/8.2/x86_64/baseos/os',\n 'content/eus/rhel8/8.2/x86_64/baseos/source/SRPMS',\n 'content/eus/rhel8/8.2/x86_64/codeready-builder/debug',\n 'content/eus/rhel8/8.2/x86_64/codeready-builder/os',\n 'content/eus/rhel8/8.2/x86_64/codeready-builder/source/SRPMS',\n 'content/eus/rhel8/8.2/x86_64/highavailability/debug',\n 'content/eus/rhel8/8.2/x86_64/highavailability/os',\n 'content/eus/rhel8/8.2/x86_64/highavailability/source/SRPMS',\n 'content/eus/rhel8/8.2/x86_64/resilientstorage/debug',\n 'content/eus/rhel8/8.2/x86_64/resilientstorage/os',\n 'content/eus/rhel8/8.2/x86_64/resilientstorage/source/SRPMS',\n 'content/eus/rhel8/8.2/x86_64/sap-solutions/debug',\n 'content/eus/rhel8/8.2/x86_64/sap-solutions/os',\n 'content/eus/rhel8/8.2/x86_64/sap-solutions/source/SRPMS',\n 'content/eus/rhel8/8.2/x86_64/sap/debug',\n 'content/eus/rhel8/8.2/x86_64/sap/os',\n 'content/eus/rhel8/8.2/x86_64/sap/source/SRPMS',\n 'content/eus/rhel8/8.2/x86_64/supplementary/debug',\n 'content/eus/rhel8/8.2/x86_64/supplementary/os',\n 'content/eus/rhel8/8.2/x86_64/supplementary/source/SRPMS',\n 'content/tus/rhel8/8.2/x86_64/appstream/debug',\n 'content/tus/rhel8/8.2/x86_64/appstream/os',\n 'content/tus/rhel8/8.2/x86_64/appstream/source/SRPMS',\n 'content/tus/rhel8/8.2/x86_64/baseos/debug',\n 'content/tus/rhel8/8.2/x86_64/baseos/os',\n 'content/tus/rhel8/8.2/x86_64/baseos/source/SRPMS',\n 'content/tus/rhel8/8.2/x86_64/highavailability/debug',\n 'content/tus/rhel8/8.2/x86_64/highavailability/os',\n 'content/tus/rhel8/8.2/x86_64/highavailability/source/SRPMS',\n 'content/tus/rhel8/8.2/x86_64/nfv/debug',\n 'content/tus/rhel8/8.2/x86_64/nfv/os',\n 'content/tus/rhel8/8.2/x86_64/nfv/source/SRPMS',\n 'content/tus/rhel8/8.2/x86_64/rt/debug',\n 'content/tus/rhel8/8.2/x86_64/rt/os',\n 'content/tus/rhel8/8.2/x86_64/rt/source/SRPMS'\n ],\n 'pkgs': [\n {'reference':'apache-commons-collections-3.2.2-10.module+el8.1.0+3366+6dfb954c', 'sp':'2', 'release':'8', 'el_string':'el8.1.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'apache-commons-lang-2.6-21.module+el8.1.0+3366+6dfb954c', 'sp':'2', 'release':'8', 'el_string':'el8.1.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'bea-stax-api-1.2.0-16.module+el8.1.0+3366+6dfb954c', 'sp':'2', 'release':'8', 'el_string':'el8.1.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'glassfish-fastinfoset-1.2.13-9.module+el8.1.0+3366+6dfb954c', 'sp':'2', 'release':'8', 'el_string':'el8.1.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'glassfish-jaxb-api-2.2.12-8.module+el8.1.0+3366+6dfb954c', 'sp':'2', 'release':'8', 'el_string':'el8.1.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'glassfish-jaxb-core-2.2.11-11.module+el8.1.0+3366+6dfb954c', 'sp':'2', 'release':'8', 'el_string':'el8.1.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'glassfish-jaxb-runtime-2.2.11-11.module+el8.1.0+3366+6dfb954c', 'sp':'2', 'release':'8', 'el_string':'el8.1.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'glassfish-jaxb-txw2-2.2.11-11.module+el8.1.0+3366+6dfb954c', 'sp':'2', 'release':'8', 'el_string':'el8.1.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'jackson-annotations-2.10.0-1.module+el8.2.0+5059+3eb3af25', 'sp':'2', 'release':'8', 'el_string':'el8.2.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'jackson-core-2.10.0-1.module+el8.2.0+5059+3eb3af25', 'sp':'2', 'release':'8', 'el_string':'el8.2.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'jackson-databind-2.10.0-1.module+el8.2.0+5059+3eb3af25', 'sp':'2', 'release':'8', 'el_string':'el8.2.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'jackson-jaxrs-json-provider-2.9.9-1.module+el8.1.0+3832+9784644d', 'sp':'2', 'release':'8', 'el_string':'el8.1.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'jackson-jaxrs-providers-2.9.9-1.module+el8.1.0+3832+9784644d', 'sp':'2', 'release':'8', 'el_string':'el8.1.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'jackson-module-jaxb-annotations-2.7.6-4.module+el8.1.0+3366+6dfb954c', 'sp':'2', 'release':'8', 'el_string':'el8.1.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'jakarta-commons-httpclient-3.1-28.module+el8.1.0+3366+6dfb954c', 'sp':'2', 'release':'8', 'el_string':'el8.1.0', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'javassist-3.18.1-8.module+el8.1.0+3366+6dfb954c', 'sp':'2', 'release':'8', 'el_string':'el8.1.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'javassist-javadoc-3.18.1-8.module+el8.1.0+3366+6dfb954c', 'sp':'2', 'release':'8', 'el_string':'el8.1.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'pki-servlet-4.0-api-9.0.7-16.module+el8.1.0+3366+6dfb954c', 'sp':'2', 'release':'8', 'el_string':'el8.1.0', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'pki-servlet-engine-9.0.7-16.module+el8.1.0+3366+6dfb954c', 'sp':'2', 'release':'8', 'el_string':'el8.1.0', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'python-nss-doc-1.0.1-10.module+el8.1.0+3366+6dfb954c', 'sp':'2', 'release':'8', 'el_string':'el8.1.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'python3-nss-1.0.1-10.module+el8.1.0+3366+6dfb954c', 'sp':'2', 'release':'8', 'el_string':'el8.1.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'relaxngDatatype-2011.1-7.module+el8.1.0+3366+6dfb954c', 'sp':'2', 'release':'8', 'el_string':'el8.1.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'resteasy-3.0.26-3.module+el8.1.0+3366+6dfb954c', 'sp':'2', 'release':'8', 'el_string':'el8.1.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'slf4j-1.7.25-4.module+el8.1.0+3366+6dfb954c', 'sp':'2', 'release':'8', 'el_string':'el8.1.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'slf4j-jdk14-1.7.25-4.module+el8.1.0+3366+6dfb954c', 'sp':'2', 'release':'8', 'el_string':'el8.1.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'stax-ex-1.7.7-8.module+el8.1.0+3366+6dfb954c', 'sp':'2', 'release':'8', 'el_string':'el8.1.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'velocity-1.7-24.module+el8.1.0+3366+6dfb954c', 'sp':'2', 'release':'8', 'el_string':'el8.1.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'xalan-j2-2.7.1-38.module+el8.1.0+3366+6dfb954c', 'sp':'2', 'release':'8', 'el_string':'el8.1.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'xerces-j2-2.11.0-34.module+el8.1.0+3366+6dfb954c', 'sp':'2', 'release':'8', 'el_string':'el8.1.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'xml-commons-apis-1.4.01-25.module+el8.1.0+3366+6dfb954c', 'sp':'2', 'release':'8', 'el_string':'el8.1.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'xml-commons-resolver-1.2-26.module+el8.1.0+3366+6dfb954c', 'sp':'2', 'release':'8', 'el_string':'el8.1.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'xmlstreambuffer-1.5.4-8.module+el8.1.0+3366+6dfb954c', 'sp':'2', 'release':'8', 'el_string':'el8.1.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'xsom-0-19.20110809svn.module+el8.1.0+3366+6dfb954c', 'sp':'2', 'release':'8', 'el_string':'el8.1.0', 'rpm_spec_vers_cmp':TRUE}\n ]\n },\n {\n 'repo_relative_urls': [\n 'content/aus/rhel8/8.4/x86_64/appstream/debug',\n 'content/aus/rhel8/8.4/x86_64/appstream/os',\n 'content/aus/rhel8/8.4/x86_64/appstream/source/SRPMS',\n 'content/aus/rhel8/8.4/x86_64/baseos/debug',\n 'content/aus/rhel8/8.4/x86_64/baseos/os',\n 'content/aus/rhel8/8.4/x86_64/baseos/source/SRPMS',\n 'content/e4s/rhel8/8.4/aarch64/appstream/debug',\n 'content/e4s/rhel8/8.4/aarch64/appstream/os',\n 'content/e4s/rhel8/8.4/aarch64/appstream/source/SRPMS',\n 'content/e4s/rhel8/8.4/aarch64/baseos/debug',\n 'content/e4s/rhel8/8.4/aarch64/baseos/os',\n 'content/e4s/rhel8/8.4/aarch64/baseos/source/SRPMS',\n 'content/e4s/rhel8/8.4/ppc64le/appstream/debug',\n 'content/e4s/rhel8/8.4/ppc64le/appstream/os',\n 'content/e4s/rhel8/8.4/ppc64le/appstream/source/SRPMS',\n 'content/e4s/rhel8/8.4/ppc64le/baseos/debug',\n 'content/e4s/rhel8/8.4/ppc64le/baseos/os',\n 'content/e4s/rhel8/8.4/ppc64le/baseos/source/SRPMS',\n 'content/e4s/rhel8/8.4/ppc64le/highavailability/debug',\n 'content/e4s/rhel8/8.4/ppc64le/highavailability/os',\n 'content/e4s/rhel8/8.4/ppc64le/highavailability/source/SRPMS',\n 'content/e4s/rhel8/8.4/ppc64le/sap-solutions/debug',\n 'content/e4s/rhel8/8.4/ppc64le/sap-solutions/os',\n 'content/e4s/rhel8/8.4/ppc64le/sap-solutions/source/SRPMS',\n 'content/e4s/rhel8/8.4/ppc64le/sap/debug',\n 'content/e4s/rhel8/8.4/ppc64le/sap/os',\n 'content/e4s/rhel8/8.4/ppc64le/sap/source/SRPMS',\n 'content/e4s/rhel8/8.4/s390x/appstream/debug',\n 'content/e4s/rhel8/8.4/s390x/appstream/os',\n 'content/e4s/rhel8/8.4/s390x/appstream/source/SRPMS',\n 'content/e4s/rhel8/8.4/s390x/baseos/debug',\n 'content/e4s/rhel8/8.4/s390x/baseos/os',\n 'content/e4s/rhel8/8.4/s390x/baseos/source/SRPMS',\n 'content/e4s/rhel8/8.4/x86_64/appstream/debug',\n 'content/e4s/rhel8/8.4/x86_64/appstream/os',\n 'content/e4s/rhel8/8.4/x86_64/appstream/source/SRPMS',\n 'content/e4s/rhel8/8.4/x86_64/baseos/debug',\n 'content/e4s/rhel8/8.4/x86_64/baseos/os',\n 'content/e4s/rhel8/8.4/x86_64/baseos/source/SRPMS',\n 'content/e4s/rhel8/8.4/x86_64/highavailability/debug',\n 'content/e4s/rhel8/8.4/x86_64/highavailability/os',\n 'content/e4s/rhel8/8.4/x86_64/highavailability/source/SRPMS',\n 'content/e4s/rhel8/8.4/x86_64/nfv/debug',\n 'content/e4s/rhel8/8.4/x86_64/nfv/os',\n 'content/e4s/rhel8/8.4/x86_64/nfv/source/SRPMS',\n 'content/e4s/rhel8/8.4/x86_64/sap-solutions/debug',\n 'content/e4s/rhel8/8.4/x86_64/sap-solutions/os',\n 'content/e4s/rhel8/8.4/x86_64/sap-solutions/source/SRPMS',\n 'content/e4s/rhel8/8.4/x86_64/sap/debug',\n 'content/e4s/rhel8/8.4/x86_64/sap/os',\n 'content/e4s/rhel8/8.4/x86_64/sap/source/SRPMS',\n 'content/eus/rhel8/8.4/aarch64/appstream/debug',\n 'content/eus/rhel8/8.4/aarch64/appstream/os',\n 'content/eus/rhel8/8.4/aarch64/appstream/source/SRPMS',\n 'content/eus/rhel8/8.4/aarch64/baseos/debug',\n 'content/eus/rhel8/8.4/aarch64/baseos/os',\n 'content/eus/rhel8/8.4/aarch64/baseos/source/SRPMS',\n 'content/eus/rhel8/8.4/aarch64/codeready-builder/debug',\n 'content/eus/rhel8/8.4/aarch64/codeready-builder/os',\n 'content/eus/rhel8/8.4/aarch64/codeready-builder/source/SRPMS',\n 'content/eus/rhel8/8.4/aarch64/highavailability/debug',\n 'content/eus/rhel8/8.4/aarch64/highavailability/os',\n 'content/eus/rhel8/8.4/aarch64/highavailability/source/SRPMS',\n 'content/eus/rhel8/8.4/aarch64/supplementary/debug',\n 'content/eus/rhel8/8.4/aarch64/supplementary/os',\n 'content/eus/rhel8/8.4/aarch64/supplementary/source/SRPMS',\n 'content/eus/rhel8/8.4/ppc64le/appstream/debug',\n 'content/eus/rhel8/8.4/ppc64le/appstream/os',\n 'content/eus/rhel8/8.4/ppc64le/appstream/source/SRPMS',\n 'content/eus/rhel8/8.4/ppc64le/baseos/debug',\n 'content/eus/rhel8/8.4/ppc64le/baseos/os',\n 'content/eus/rhel8/8.4/ppc64le/baseos/source/SRPMS',\n 'content/eus/rhel8/8.4/ppc64le/codeready-builder/debug',\n 'content/eus/rhel8/8.4/ppc64le/codeready-builder/os',\n 'content/eus/rhel8/8.4/ppc64le/codeready-builder/source/SRPMS',\n 'content/eus/rhel8/8.4/ppc64le/highavailability/debug',\n 'content/eus/rhel8/8.4/ppc64le/highavailability/os',\n 'content/eus/rhel8/8.4/ppc64le/highavailability/source/SRPMS',\n 'content/eus/rhel8/8.4/ppc64le/resilientstorage/debug',\n 'content/eus/rhel8/8.4/ppc64le/resilientstorage/os',\n 'content/eus/rhel8/8.4/ppc64le/resilientstorage/source/SRPMS',\n 'content/eus/rhel8/8.4/ppc64le/sap-solutions/debug',\n 'content/eus/rhel8/8.4/ppc64le/sap-solutions/os',\n 'content/eus/rhel8/8.4/ppc64le/sap-solutions/source/SRPMS',\n 'content/eus/rhel8/8.4/ppc64le/sap/debug',\n 'content/eus/rhel8/8.4/ppc64le/sap/os',\n 'content/eus/rhel8/8.4/ppc64le/sap/source/SRPMS',\n 'content/eus/rhel8/8.4/ppc64le/supplementary/debug',\n 'content/eus/rhel8/8.4/ppc64le/supplementary/os',\n 'content/eus/rhel8/8.4/ppc64le/supplementary/source/SRPMS',\n 'content/eus/rhel8/8.4/s390x/appstream/debug',\n 'content/eus/rhel8/8.4/s390x/appstream/os',\n 'content/eus/rhel8/8.4/s390x/appstream/source/SRPMS',\n 'content/eus/rhel8/8.4/s390x/baseos/debug',\n 'content/eus/rhel8/8.4/s390x/baseos/os',\n 'content/eus/rhel8/8.4/s390x/baseos/source/SRPMS',\n 'content/eus/rhel8/8.4/s390x/codeready-builder/debug',\n 'content/eus/rhel8/8.4/s390x/codeready-builder/os',\n 'content/eus/rhel8/8.4/s390x/codeready-builder/source/SRPMS',\n 'content/eus/rhel8/8.4/s390x/highavailability/debug',\n 'content/eus/rhel8/8.4/s390x/highavailability/os',\n 'content/eus/rhel8/8.4/s390x/highavailability/source/SRPMS',\n 'content/eus/rhel8/8.4/s390x/resilientstorage/debug',\n 'content/eus/rhel8/8.4/s390x/resilientstorage/os',\n 'content/eus/rhel8/8.4/s390x/resilientstorage/source/SRPMS',\n 'content/eus/rhel8/8.4/s390x/sap/debug',\n 'content/eus/rhel8/8.4/s390x/sap/os',\n 'content/eus/rhel8/8.4/s390x/sap/source/SRPMS',\n 'content/eus/rhel8/8.4/s390x/supplementary/debug',\n 'content/eus/rhel8/8.4/s390x/supplementary/os',\n 'content/eus/rhel8/8.4/s390x/supplementary/source/SRPMS',\n 'content/eus/rhel8/8.4/x86_64/appstream/debug',\n 'content/eus/rhel8/8.4/x86_64/appstream/os',\n 'content/eus/rhel8/8.4/x86_64/appstream/source/SRPMS',\n 'content/eus/rhel8/8.4/x86_64/baseos/debug',\n 'content/eus/rhel8/8.4/x86_64/baseos/os',\n 'content/eus/rhel8/8.4/x86_64/baseos/source/SRPMS',\n 'content/eus/rhel8/8.4/x86_64/codeready-builder/debug',\n 'content/eus/rhel8/8.4/x86_64/codeready-builder/os',\n 'content/eus/rhel8/8.4/x86_64/codeready-builder/source/SRPMS',\n 'content/eus/rhel8/8.4/x86_64/highavailability/debug',\n 'content/eus/rhel8/8.4/x86_64/highavailability/os',\n 'content/eus/rhel8/8.4/x86_64/highavailability/source/SRPMS',\n 'content/eus/rhel8/8.4/x86_64/resilientstorage/debug',\n 'content/eus/rhel8/8.4/x86_64/resilientstorage/os',\n 'content/eus/rhel8/8.4/x86_64/resilientstorage/source/SRPMS',\n 'content/eus/rhel8/8.4/x86_64/sap-solutions/debug',\n 'content/eus/rhel8/8.4/x86_64/sap-solutions/os',\n 'content/eus/rhel8/8.4/x86_64/sap-solutions/source/SRPMS',\n 'content/eus/rhel8/8.4/x86_64/sap/debug',\n 'content/eus/rhel8/8.4/x86_64/sap/os',\n 'content/eus/rhel8/8.4/x86_64/sap/source/SRPMS',\n 'content/eus/rhel8/8.4/x86_64/supplementary/debug',\n 'content/eus/rhel8/8.4/x86_64/supplementary/os',\n 'content/eus/rhel8/8.4/x86_64/supplementary/source/SRPMS',\n 'content/tus/rhel8/8.4/x86_64/appstream/debug',\n 'content/tus/rhel8/8.4/x86_64/appstream/os',\n 'content/tus/rhel8/8.4/x86_64/appstream/source/SRPMS',\n 'content/tus/rhel8/8.4/x86_64/baseos/debug',\n 'content/tus/rhel8/8.4/x86_64/baseos/os',\n 'content/tus/rhel8/8.4/x86_64/baseos/source/SRPMS',\n 'content/tus/rhel8/8.4/x86_64/highavailability/debug',\n 'content/tus/rhel8/8.4/x86_64/highavailability/os',\n 'content/tus/rhel8/8.4/x86_64/highavailability/source/SRPMS',\n 'content/tus/rhel8/8.4/x86_64/nfv/debug',\n 'content/tus/rhel8/8.4/x86_64/nfv/os',\n 'content/tus/rhel8/8.4/x86_64/nfv/source/SRPMS',\n 'content/tus/rhel8/8.4/x86_64/rt/debug',\n 'content/tus/rhel8/8.4/x86_64/rt/os',\n 'content/tus/rhel8/8.4/x86_64/rt/source/SRPMS'\n ],\n 'pkgs': [\n {'reference':'apache-commons-collections-3.2.2-10.module+el8.1.0+3366+6dfb954c', 'sp':'4', 'release':'8', 'el_string':'el8.1.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'apache-commons-lang-2.6-21.module+el8.1.0+3366+6dfb954c', 'sp':'4', 'release':'8', 'el_string':'el8.1.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'bea-stax-api-1.2.0-16.module+el8.1.0+3366+6dfb954c', 'sp':'4', 'release':'8', 'el_string':'el8.1.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'glassfish-fastinfoset-1.2.13-9.module+el8.1.0+3366+6dfb954c', 'sp':'4', 'release':'8', 'el_string':'el8.1.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'glassfish-jaxb-api-2.2.12-8.module+el8.1.0+3366+6dfb954c', 'sp':'4', 'release':'8', 'el_string':'el8.1.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'glassfish-jaxb-core-2.2.11-11.module+el8.1.0+3366+6dfb954c', 'sp':'4', 'release':'8', 'el_string':'el8.1.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'glassfish-jaxb-runtime-2.2.11-11.module+el8.1.0+3366+6dfb954c', 'sp':'4', 'release':'8', 'el_string':'el8.1.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'glassfish-jaxb-txw2-2.2.11-11.module+el8.1.0+3366+6dfb954c', 'sp':'4', 'release':'8', 'el_string':'el8.1.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'jackson-annotations-2.10.0-1.module+el8.2.0+5059+3eb3af25', 'sp':'4', 'release':'8', 'el_string':'el8.2.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'jackson-core-2.10.0-1.module+el8.2.0+5059+3eb3af25', 'sp':'4', 'release':'8', 'el_string':'el8.2.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'jackson-databind-2.10.0-1.module+el8.2.0+5059+3eb3af25', 'sp':'4', 'release':'8', 'el_string':'el8.2.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'jackson-jaxrs-json-provider-2.9.9-1.module+el8.1.0+3832+9784644d', 'sp':'4', 'release':'8', 'el_string':'el8.1.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'jackson-jaxrs-providers-2.9.9-1.module+el8.1.0+3832+9784644d', 'sp':'4', 'release':'8', 'el_string':'el8.1.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'jackson-module-jaxb-annotations-2.7.6-4.module+el8.1.0+3366+6dfb954c', 'sp':'4', 'release':'8', 'el_string':'el8.1.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'jakarta-commons-httpclient-3.1-28.module+el8.1.0+3366+6dfb954c', 'sp':'4', 'release':'8', 'el_string':'el8.1.0', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'javassist-3.18.1-8.module+el8.1.0+3366+6dfb954c', 'sp':'4', 'release':'8', 'el_string':'el8.1.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'javassist-javadoc-3.18.1-8.module+el8.1.0+3366+6dfb954c', 'sp':'4', 'release':'8', 'el_string':'el8.1.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'pki-servlet-4.0-api-9.0.7-16.module+el8.1.0+3366+6dfb954c', 'sp':'4', 'release':'8', 'el_string':'el8.1.0', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'pki-servlet-engine-9.0.7-16.module+el8.1.0+3366+6dfb954c', 'sp':'4', 'release':'8', 'el_string':'el8.1.0', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'python-nss-doc-1.0.1-10.module+el8.1.0+3366+6dfb954c', 'sp':'4', 'release':'8', 'el_string':'el8.1.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'python3-nss-1.0.1-10.module+el8.1.0+3366+6dfb954c', 'sp':'4', 'release':'8', 'el_string':'el8.1.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'relaxngDatatype-2011.1-7.module+el8.1.0+3366+6dfb954c', 'sp':'4', 'release':'8', 'el_string':'el8.1.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'resteasy-3.0.26-3.module+el8.1.0+3366+6dfb954c', 'sp':'4', 'release':'8', 'el_string':'el8.1.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'slf4j-1.7.25-4.module+el8.1.0+3366+6dfb954c', 'sp':'4', 'release':'8', 'el_string':'el8.1.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'slf4j-jdk14-1.7.25-4.module+el8.1.0+3366+6dfb954c', 'sp':'4', 'release':'8', 'el_string':'el8.1.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'stax-ex-1.7.7-8.module+el8.1.0+3366+6dfb954c', 'sp':'4', 'release':'8', 'el_string':'el8.1.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'velocity-1.7-24.module+el8.1.0+3366+6dfb954c', 'sp':'4', 'release':'8', 'el_string':'el8.1.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'xalan-j2-2.7.1-38.module+el8.1.0+3366+6dfb954c', 'sp':'4', 'release':'8', 'el_string':'el8.1.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'xerces-j2-2.11.0-34.module+el8.1.0+3366+6dfb954c', 'sp':'4', 'release':'8', 'el_string':'el8.1.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'xml-commons-apis-1.4.01-25.module+el8.1.0+3366+6dfb954c', 'sp':'4', 'release':'8', 'el_string':'el8.1.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'xml-commons-resolver-1.2-26.module+el8.1.0+3366+6dfb954c', 'sp':'4', 'release':'8', 'el_string':'el8.1.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'xmlstreambuffer-1.5.4-8.module+el8.1.0+3366+6dfb954c', 'sp':'4', 'release':'8', 'el_string':'el8.1.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'xsom-0-19.20110809svn.module+el8.1.0+3366+6dfb954c', 'sp':'4', 'release':'8', 'el_string':'el8.1.0', 'rpm_spec_vers_cmp':TRUE}\n ]\n },\n {\n 'repo_relative_urls': [\n 'content/aus/rhel8/8.6/x86_64/appstream/debug',\n 'content/aus/rhel8/8.6/x86_64/appstream/os',\n 'content/aus/rhel8/8.6/x86_64/appstream/source/SRPMS',\n 'content/aus/rhel8/8.6/x86_64/baseos/debug',\n 'content/aus/rhel8/8.6/x86_64/baseos/os',\n 'content/aus/rhel8/8.6/x86_64/baseos/source/SRPMS',\n 'content/e4s/rhel8/8.6/ppc64le/appstream/debug',\n 'content/e4s/rhel8/8.6/ppc64le/appstream/os',\n 'content/e4s/rhel8/8.6/ppc64le/appstream/source/SRPMS',\n 'content/e4s/rhel8/8.6/ppc64le/baseos/debug',\n 'content/e4s/rhel8/8.6/ppc64le/baseos/os',\n 'content/e4s/rhel8/8.6/ppc64le/baseos/source/SRPMS',\n 'content/e4s/rhel8/8.6/ppc64le/highavailability/debug',\n 'content/e4s/rhel8/8.6/ppc64le/highavailability/os',\n 'content/e4s/rhel8/8.6/ppc64le/highavailability/source/SRPMS',\n 'content/e4s/rhel8/8.6/ppc64le/sap-solutions/debug',\n 'content/e4s/rhel8/8.6/ppc64le/sap-solutions/os',\n 'content/e4s/rhel8/8.6/ppc64le/sap-solutions/source/SRPMS',\n 'content/e4s/rhel8/8.6/ppc64le/sap/debug',\n 'content/e4s/rhel8/8.6/ppc64le/sap/os',\n 'content/e4s/rhel8/8.6/ppc64le/sap/source/SRPMS',\n 'content/e4s/rhel8/8.6/x86_64/appstream/debug',\n 'content/e4s/rhel8/8.6/x86_64/appstream/os',\n 'content/e4s/rhel8/8.6/x86_64/appstream/source/SRPMS',\n 'content/e4s/rhel8/8.6/x86_64/baseos/debug',\n 'content/e4s/rhel8/8.6/x86_64/baseos/os',\n 'content/e4s/rhel8/8.6/x86_64/baseos/source/SRPMS',\n 'content/e4s/rhel8/8.6/x86_64/highavailability/debug',\n 'content/e4s/rhel8/8.6/x86_64/highavailability/os',\n 'content/e4s/rhel8/8.6/x86_64/highavailability/source/SRPMS',\n 'content/e4s/rhel8/8.6/x86_64/sap-solutions/debug',\n 'content/e4s/rhel8/8.6/x86_64/sap-solutions/os',\n 'content/e4s/rhel8/8.6/x86_64/sap-solutions/source/SRPMS',\n 'content/e4s/rhel8/8.6/x86_64/sap/debug',\n 'content/e4s/rhel8/8.6/x86_64/sap/os',\n 'content/e4s/rhel8/8.6/x86_64/sap/source/SRPMS',\n 'content/eus/rhel8/8.6/aarch64/appstream/debug',\n 'content/eus/rhel8/8.6/aarch64/appstream/os',\n 'content/eus/rhel8/8.6/aarch64/appstream/source/SRPMS',\n 'content/eus/rhel8/8.6/aarch64/baseos/debug',\n 'content/eus/rhel8/8.6/aarch64/baseos/os',\n 'content/eus/rhel8/8.6/aarch64/baseos/source/SRPMS',\n 'content/eus/rhel8/8.6/aarch64/codeready-builder/debug',\n 'content/eus/rhel8/8.6/aarch64/codeready-builder/os',\n 'content/eus/rhel8/8.6/aarch64/codeready-builder/source/SRPMS',\n 'content/eus/rhel8/8.6/aarch64/highavailability/debug',\n 'content/eus/rhel8/8.6/aarch64/highavailability/os',\n 'content/eus/rhel8/8.6/aarch64/highavailability/source/SRPMS',\n 'content/eus/rhel8/8.6/aarch64/supplementary/debug',\n 'content/eus/rhel8/8.6/aarch64/supplementary/os',\n 'content/eus/rhel8/8.6/aarch64/supplementary/source/SRPMS',\n 'content/eus/rhel8/8.6/ppc64le/appstream/debug',\n 'content/eus/rhel8/8.6/ppc64le/appstream/os',\n 'content/eus/rhel8/8.6/ppc64le/appstream/source/SRPMS',\n 'content/eus/rhel8/8.6/ppc64le/baseos/debug',\n 'content/eus/rhel8/8.6/ppc64le/baseos/os',\n 'content/eus/rhel8/8.6/ppc64le/baseos/source/SRPMS',\n 'content/eus/rhel8/8.6/ppc64le/codeready-builder/debug',\n 'content/eus/rhel8/8.6/ppc64le/codeready-builder/os',\n 'content/eus/rhel8/8.6/ppc64le/codeready-builder/source/SRPMS',\n 'content/eus/rhel8/8.6/ppc64le/highavailability/debug',\n 'content/eus/rhel8/8.6/ppc64le/highavailability/os',\n 'content/eus/rhel8/8.6/ppc64le/highavailability/source/SRPMS',\n 'content/eus/rhel8/8.6/ppc64le/resilientstorage/debug',\n 'content/eus/rhel8/8.6/ppc64le/resilientstorage/os',\n 'content/eus/rhel8/8.6/ppc64le/resilientstorage/source/SRPMS',\n 'content/eus/rhel8/8.6/ppc64le/sap-solutions/debug',\n 'content/eus/rhel8/8.6/ppc64le/sap-solutions/os',\n 'content/eus/rhel8/8.6/ppc64le/sap-solutions/source/SRPMS',\n 'content/eus/rhel8/8.6/ppc64le/sap/debug',\n 'content/eus/rhel8/8.6/ppc64le/sap/os',\n 'content/eus/rhel8/8.6/ppc64le/sap/source/SRPMS',\n 'content/eus/rhel8/8.6/ppc64le/supplementary/debug',\n 'content/eus/rhel8/8.6/ppc64le/supplementary/os',\n 'content/eus/rhel8/8.6/ppc64le/supplementary/source/SRPMS',\n 'content/eus/rhel8/8.6/s390x/appstream/debug',\n 'content/eus/rhel8/8.6/s390x/appstream/os',\n 'content/eus/rhel8/8.6/s390x/appstream/source/SRPMS',\n 'content/eus/rhel8/8.6/s390x/baseos/debug',\n 'content/eus/rhel8/8.6/s390x/baseos/os',\n 'content/eus/rhel8/8.6/s390x/baseos/source/SRPMS',\n 'content/eus/rhel8/8.6/s390x/codeready-builder/debug',\n 'content/eus/rhel8/8.6/s390x/codeready-builder/os',\n 'content/eus/rhel8/8.6/s390x/codeready-builder/source/SRPMS',\n 'content/eus/rhel8/8.6/s390x/highavailability/debug',\n 'content/eus/rhel8/8.6/s390x/highavailability/os',\n 'content/eus/rhel8/8.6/s390x/highavailability/source/SRPMS',\n 'content/eus/rhel8/8.6/s390x/resilientstorage/debug',\n 'content/eus/rhel8/8.6/s390x/resilientstorage/os',\n 'content/eus/rhel8/8.6/s390x/resilientstorage/source/SRPMS',\n 'content/eus/rhel8/8.6/s390x/sap/debug',\n 'content/eus/rhel8/8.6/s390x/sap/os',\n 'content/eus/rhel8/8.6/s390x/sap/source/SRPMS',\n 'content/eus/rhel8/8.6/s390x/supplementary/debug',\n 'content/eus/rhel8/8.6/s390x/supplementary/os',\n 'content/eus/rhel8/8.6/s390x/supplementary/source/SRPMS',\n 'content/eus/rhel8/8.6/x86_64/appstream/debug',\n 'content/eus/rhel8/8.6/x86_64/appstream/os',\n 'content/eus/rhel8/8.6/x86_64/appstream/source/SRPMS',\n 'content/eus/rhel8/8.6/x86_64/baseos/debug',\n 'content/eus/rhel8/8.6/x86_64/baseos/os',\n 'content/eus/rhel8/8.6/x86_64/baseos/source/SRPMS',\n 'content/eus/rhel8/8.6/x86_64/codeready-builder/debug',\n 'content/eus/rhel8/8.6/x86_64/codeready-builder/os',\n 'content/eus/rhel8/8.6/x86_64/codeready-builder/source/SRPMS',\n 'content/eus/rhel8/8.6/x86_64/highavailability/debug',\n 'content/eus/rhel8/8.6/x86_64/highavailability/os',\n 'content/eus/rhel8/8.6/x86_64/highavailability/source/SRPMS',\n 'content/eus/rhel8/8.6/x86_64/resilientstorage/debug',\n 'content/eus/rhel8/8.6/x86_64/resilientstorage/os',\n 'content/eus/rhel8/8.6/x86_64/resilientstorage/source/SRPMS',\n 'content/eus/rhel8/8.6/x86_64/sap-solutions/debug',\n 'content/eus/rhel8/8.6/x86_64/sap-solutions/os',\n 'content/eus/rhel8/8.6/x86_64/sap-solutions/source/SRPMS',\n 'content/eus/rhel8/8.6/x86_64/sap/debug',\n 'content/eus/rhel8/8.6/x86_64/sap/os',\n 'content/eus/rhel8/8.6/x86_64/sap/source/SRPMS',\n 'content/eus/rhel8/8.6/x86_64/supplementary/debug',\n 'content/eus/rhel8/8.6/x86_64/supplementary/os',\n 'content/eus/rhel8/8.6/x86_64/supplementary/source/SRPMS',\n 'content/tus/rhel8/8.6/x86_64/appstream/debug',\n 'content/tus/rhel8/8.6/x86_64/appstream/os',\n 'content/tus/rhel8/8.6/x86_64/appstream/source/SRPMS',\n 'content/tus/rhel8/8.6/x86_64/baseos/debug',\n 'content/tus/rhel8/8.6/x86_64/baseos/os',\n 'content/tus/rhel8/8.6/x86_64/baseos/source/SRPMS',\n 'content/tus/rhel8/8.6/x86_64/highavailability/debug',\n 'content/tus/rhel8/8.6/x86_64/highavailability/os',\n 'content/tus/rhel8/8.6/x86_64/highavailability/source/SRPMS',\n 'content/tus/rhel8/8.6/x86_64/rt/os',\n 'content/tus/rhel8/8.6/x86_64/rt/source/SRPMS'\n ],\n 'pkgs': [\n {'reference':'apache-commons-collections-3.2.2-10.module+el8.1.0+3366+6dfb954c', 'sp':'6', 'release':'8', 'el_string':'el8.1.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'apache-commons-lang-2.6-21.module+el8.1.0+3366+6dfb954c', 'sp':'6', 'release':'8', 'el_string':'el8.1.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'bea-stax-api-1.2.0-16.module+el8.1.0+3366+6dfb954c', 'sp':'6', 'release':'8', 'el_string':'el8.1.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'glassfish-fastinfoset-1.2.13-9.module+el8.1.0+3366+6dfb954c', 'sp':'6', 'release':'8', 'el_string':'el8.1.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'glassfish-jaxb-api-2.2.12-8.module+el8.1.0+3366+6dfb954c', 'sp':'6', 'release':'8', 'el_string':'el8.1.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'glassfish-jaxb-core-2.2.11-11.module+el8.1.0+3366+6dfb954c', 'sp':'6', 'release':'8', 'el_string':'el8.1.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'glassfish-jaxb-runtime-2.2.11-11.module+el8.1.0+3366+6dfb954c', 'sp':'6', 'release':'8', 'el_string':'el8.1.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'glassfish-jaxb-txw2-2.2.11-11.module+el8.1.0+3366+6dfb954c', 'sp':'6', 'release':'8', 'el_string':'el8.1.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'jackson-annotations-2.10.0-1.module+el8.2.0+5059+3eb3af25', 'sp':'6', 'release':'8', 'el_string':'el8.2.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'jackson-core-2.10.0-1.module+el8.2.0+5059+3eb3af25', 'sp':'6', 'release':'8', 'el_string':'el8.2.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'jackson-databind-2.10.0-1.module+el8.2.0+5059+3eb3af25', 'sp':'6', 'release':'8', 'el_string':'el8.2.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'jackson-jaxrs-json-provider-2.9.9-1.module+el8.1.0+3832+9784644d', 'sp':'6', 'release':'8', 'el_string':'el8.1.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'jackson-jaxrs-providers-2.9.9-1.module+el8.1.0+3832+9784644d', 'sp':'6', 'release':'8', 'el_string':'el8.1.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'jackson-module-jaxb-annotations-2.7.6-4.module+el8.1.0+3366+6dfb954c', 'sp':'6', 'release':'8', 'el_string':'el8.1.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'jakarta-commons-httpclient-3.1-28.module+el8.1.0+3366+6dfb954c', 'sp':'6', 'release':'8', 'el_string':'el8.1.0', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'javassist-3.18.1-8.module+el8.1.0+3366+6dfb954c', 'sp':'6', 'release':'8', 'el_string':'el8.1.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'javassist-javadoc-3.18.1-8.module+el8.1.0+3366+6dfb954c', 'sp':'6', 'release':'8', 'el_string':'el8.1.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'pki-servlet-4.0-api-9.0.7-16.module+el8.1.0+3366+6dfb954c', 'sp':'6', 'release':'8', 'el_string':'el8.1.0', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'pki-servlet-engine-9.0.7-16.module+el8.1.0+3366+6dfb954c', 'sp':'6', 'release':'8', 'el_string':'el8.1.0', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'python-nss-doc-1.0.1-10.module+el8.1.0+3366+6dfb954c', 'sp':'6', 'release':'8', 'el_string':'el8.1.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'python3-nss-1.0.1-10.module+el8.1.0+3366+6dfb954c', 'sp':'6', 'release':'8', 'el_string':'el8.1.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'relaxngDatatype-2011.1-7.module+el8.1.0+3366+6dfb954c', 'sp':'6', 'release':'8', 'el_string':'el8.1.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'resteasy-3.0.26-3.module+el8.1.0+3366+6dfb954c', 'sp':'6', 'release':'8', 'el_string':'el8.1.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'slf4j-1.7.25-4.module+el8.1.0+3366+6dfb954c', 'sp':'6', 'release':'8', 'el_string':'el8.1.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'slf4j-jdk14-1.7.25-4.module+el8.1.0+3366+6dfb954c', 'sp':'6', 'release':'8', 'el_string':'el8.1.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'stax-ex-1.7.7-8.module+el8.1.0+3366+6dfb954c', 'sp':'6', 'release':'8', 'el_string':'el8.1.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'velocity-1.7-24.module+el8.1.0+3366+6dfb954c', 'sp':'6', 'release':'8', 'el_string':'el8.1.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'xalan-j2-2.7.1-38.module+el8.1.0+3366+6dfb954c', 'sp':'6', 'release':'8', 'el_string':'el8.1.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'xerces-j2-2.11.0-34.module+el8.1.0+3366+6dfb954c', 'sp':'6', 'release':'8', 'el_string':'el8.1.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'xml-commons-apis-1.4.01-25.module+el8.1.0+3366+6dfb954c', 'sp':'6', 'release':'8', 'el_string':'el8.1.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'xml-commons-resolver-1.2-26.module+el8.1.0+3366+6dfb954c', 'sp':'6', 'release':'8', 'el_string':'el8.1.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'xmlstreambuffer-1.5.4-8.module+el8.1.0+3366+6dfb954c', 'sp':'6', 'release':'8', 'el_string':'el8.1.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'xsom-0-19.20110809svn.module+el8.1.0+3366+6dfb954c', 'sp':'6', 'release':'8', 'el_string':'el8.1.0', 'rpm_spec_vers_cmp':TRUE}\n ]\n },\n {\n 'repo_relative_urls': [\n 'content/dist/rhel8/8/aarch64/appstream/debug',\n 'content/dist/rhel8/8/aarch64/appstream/os',\n 'content/dist/rhel8/8/aarch64/appstream/source/SRPMS',\n 'content/dist/rhel8/8/aarch64/baseos/debug',\n 'content/dist/rhel8/8/aarch64/baseos/os',\n 'content/dist/rhel8/8/aarch64/baseos/source/SRPMS',\n 'content/dist/rhel8/8/aarch64/codeready-builder/debug',\n 'content/dist/rhel8/8/aarch64/codeready-builder/os',\n 'content/dist/rhel8/8/aarch64/codeready-builder/source/SRPMS',\n 'content/dist/rhel8/8/aarch64/highavailability/debug',\n 'content/dist/rhel8/8/aarch64/highavailability/os',\n 'content/dist/rhel8/8/aarch64/highavailability/source/SRPMS',\n 'content/dist/rhel8/8/aarch64/supplementary/debug',\n 'content/dist/rhel8/8/aarch64/supplementary/os',\n 'content/dist/rhel8/8/aarch64/supplementary/source/SRPMS',\n 'content/dist/rhel8/8/ppc64le/appstream/debug',\n 'content/dist/rhel8/8/ppc64le/appstream/os',\n 'content/dist/rhel8/8/ppc64le/appstream/source/SRPMS',\n 'content/dist/rhel8/8/ppc64le/baseos/debug',\n 'content/dist/rhel8/8/ppc64le/baseos/os',\n 'content/dist/rhel8/8/ppc64le/baseos/source/SRPMS',\n 'content/dist/rhel8/8/ppc64le/codeready-builder/debug',\n 'content/dist/rhel8/8/ppc64le/codeready-builder/os',\n 'content/dist/rhel8/8/ppc64le/codeready-builder/source/SRPMS',\n 'content/dist/rhel8/8/ppc64le/highavailability/debug',\n 'content/dist/rhel8/8/ppc64le/highavailability/os',\n 'content/dist/rhel8/8/ppc64le/highavailability/source/SRPMS',\n 'content/dist/rhel8/8/ppc64le/resilientstorage/debug',\n 'content/dist/rhel8/8/ppc64le/resilientstorage/os',\n 'content/dist/rhel8/8/ppc64le/resilientstorage/source/SRPMS',\n 'content/dist/rhel8/8/ppc64le/sap-solutions/debug',\n 'content/dist/rhel8/8/ppc64le/sap-solutions/os',\n 'content/dist/rhel8/8/ppc64le/sap-solutions/source/SRPMS',\n 'content/dist/rhel8/8/ppc64le/sap/debug',\n 'content/dist/rhel8/8/ppc64le/sap/os',\n 'content/dist/rhel8/8/ppc64le/sap/source/SRPMS',\n 'content/dist/rhel8/8/ppc64le/supplementary/debug',\n 'content/dist/rhel8/8/ppc64le/supplementary/os',\n 'content/dist/rhel8/8/ppc64le/supplementary/source/SRPMS',\n 'content/dist/rhel8/8/s390x/appstream/debug',\n 'content/dist/rhel8/8/s390x/appstream/os',\n 'content/dist/rhel8/8/s390x/appstream/source/SRPMS',\n 'content/dist/rhel8/8/s390x/baseos/debug',\n 'content/dist/rhel8/8/s390x/baseos/os',\n 'content/dist/rhel8/8/s390x/baseos/source/SRPMS',\n 'content/dist/rhel8/8/s390x/codeready-builder/debug',\n 'content/dist/rhel8/8/s390x/codeready-builder/os',\n 'content/dist/rhel8/8/s390x/codeready-builder/source/SRPMS',\n 'content/dist/rhel8/8/s390x/highavailability/debug',\n 'content/dist/rhel8/8/s390x/highavailability/os',\n 'content/dist/rhel8/8/s390x/highavailability/source/SRPMS',\n 'content/dist/rhel8/8/s390x/resilientstorage/debug',\n 'content/dist/rhel8/8/s390x/resilientstorage/os',\n 'content/dist/rhel8/8/s390x/resilientstorage/source/SRPMS',\n 'content/dist/rhel8/8/s390x/sap/debug',\n 'content/dist/rhel8/8/s390x/sap/os',\n 'content/dist/rhel8/8/s390x/sap/source/SRPMS',\n 'content/dist/rhel8/8/s390x/supplementary/debug',\n 'content/dist/rhel8/8/s390x/supplementary/os',\n 'content/dist/rhel8/8/s390x/supplementary/source/SRPMS',\n 'content/dist/rhel8/8/x86_64/appstream/debug',\n 'content/dist/rhel8/8/x86_64/appstream/os',\n 'content/dist/rhel8/8/x86_64/appstream/source/SRPMS',\n 'content/dist/rhel8/8/x86_64/baseos/debug',\n 'content/dist/rhel8/8/x86_64/baseos/os',\n 'content/dist/rhel8/8/x86_64/baseos/source/SRPMS',\n 'content/dist/rhel8/8/x86_64/codeready-builder/debug',\n 'content/dist/rhel8/8/x86_64/codeready-builder/os',\n 'content/dist/rhel8/8/x86_64/codeready-builder/source/SRPMS',\n 'content/dist/rhel8/8/x86_64/highavailability/debug',\n 'content/dist/rhel8/8/x86_64/highavailability/os',\n 'content/dist/rhel8/8/x86_64/highavailability/source/SRPMS',\n 'content/dist/rhel8/8/x86_64/nfv/debug',\n 'content/dist/rhel8/8/x86_64/nfv/os',\n 'content/dist/rhel8/8/x86_64/nfv/source/SRPMS',\n 'content/dist/rhel8/8/x86_64/resilientstorage/debug',\n 'content/dist/rhel8/8/x86_64/resilientstorage/os',\n 'content/dist/rhel8/8/x86_64/resilientstorage/source/SRPMS',\n 'content/dist/rhel8/8/x86_64/rt/debug',\n 'content/dist/rhel8/8/x86_64/rt/os',\n 'content/dist/rhel8/8/x86_64/rt/source/SRPMS',\n 'content/dist/rhel8/8/x86_64/sap-solutions/debug',\n 'content/dist/rhel8/8/x86_64/sap-solutions/os',\n 'content/dist/rhel8/8/x86_64/sap-solutions/source/SRPMS',\n 'content/dist/rhel8/8/x86_64/sap/debug',\n 'content/dist/rhel8/8/x86_64/sap/os',\n 'content/dist/rhel8/8/x86_64/sap/source/SRPMS',\n 'content/dist/rhel8/8/x86_64/supplementary/debug',\n 'content/dist/rhel8/8/x86_64/supplementary/os',\n 'content/dist/rhel8/8/x86_64/supplementary/source/SRPMS'\n ],\n 'pkgs': [\n {'reference':'apache-commons-collections-3.2.2-10.module+el8.1.0+3366+6dfb954c', 'release':'8', 'el_string':'el8.1.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'apache-commons-lang-2.6-21.module+el8.1.0+3366+6dfb954c', 'release':'8', 'el_string':'el8.1.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'bea-stax-api-1.2.0-16.module+el8.1.0+3366+6dfb954c', 'release':'8', 'el_string':'el8.1.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'glassfish-fastinfoset-1.2.13-9.module+el8.1.0+3366+6dfb954c', 'release':'8', 'el_string':'el8.1.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'glassfish-jaxb-api-2.2.12-8.module+el8.1.0+3366+6dfb954c', 'release':'8', 'el_string':'el8.1.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'glassfish-jaxb-core-2.2.11-11.module+el8.1.0+3366+6dfb954c', 'release':'8', 'el_string':'el8.1.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'glassfish-jaxb-runtime-2.2.11-11.module+el8.1.0+3366+6dfb954c', 'release':'8', 'el_string':'el8.1.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'glassfish-jaxb-txw2-2.2.11-11.module+el8.1.0+3366+6dfb954c', 'release':'8', 'el_string':'el8.1.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'jackson-annotations-2.10.0-1.module+el8.2.0+5059+3eb3af25', 'release':'8', 'el_string':'el8.2.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'jackson-core-2.10.0-1.module+el8.2.0+5059+3eb3af25', 'release':'8', 'el_string':'el8.2.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'jackson-databind-2.10.0-1.module+el8.2.0+5059+3eb3af25', 'release':'8', 'el_string':'el8.2.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'jackson-jaxrs-json-provider-2.9.9-1.module+el8.1.0+3832+9784644d', 'release':'8', 'el_string':'el8.1.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'jackson-jaxrs-providers-2.9.9-1.module+el8.1.0+3832+9784644d', 'release':'8', 'el_string':'el8.1.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'jackson-module-jaxb-annotations-2.7.6-4.module+el8.1.0+3366+6dfb954c', 'release':'8', 'el_string':'el8.1.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'jakarta-commons-httpclient-3.1-28.module+el8.1.0+3366+6dfb954c', 'release':'8', 'el_string':'el8.1.0', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'javassist-3.18.1-8.module+el8.1.0+3366+6dfb954c', 'release':'8', 'el_string':'el8.1.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'javassist-javadoc-3.18.1-8.module+el8.1.0+3366+6dfb954c', 'release':'8', 'el_string':'el8.1.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'pki-servlet-4.0-api-9.0.7-16.module+el8.1.0+3366+6dfb954c', 'release':'8', 'el_string':'el8.1.0', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'pki-servlet-engine-9.0.7-16.module+el8.1.0+3366+6dfb954c', 'release':'8', 'el_string':'el8.1.0', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'python-nss-doc-1.0.1-10.module+el8.1.0+3366+6dfb954c', 'release':'8', 'el_string':'el8.1.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'python3-nss-1.0.1-10.module+el8.1.0+3366+6dfb954c', 'release':'8', 'el_string':'el8.1.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'relaxngDatatype-2011.1-7.module+el8.1.0+3366+6dfb954c', 'release':'8', 'el_string':'el8.1.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'resteasy-3.0.26-3.module+el8.1.0+3366+6dfb954c', 'release':'8', 'el_string':'el8.1.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'slf4j-1.7.25-4.module+el8.1.0+3366+6dfb954c', 'release':'8', 'el_string':'el8.1.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'slf4j-jdk14-1.7.25-4.module+el8.1.0+3366+6dfb954c', 'release':'8', 'el_string':'el8.1.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'stax-ex-1.7.7-8.module+el8.1.0+3366+6dfb954c', 'release':'8', 'el_string':'el8.1.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'velocity-1.7-24.module+el8.1.0+3366+6dfb954c', 'release':'8', 'el_string':'el8.1.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'xalan-j2-2.7.1-38.module+el8.1.0+3366+6dfb954c', 'release':'8', 'el_string':'el8.1.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'xerces-j2-2.11.0-34.module+el8.1.0+3366+6dfb954c', 'release':'8', 'el_string':'el8.1.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'xml-commons-apis-1.4.01-25.module+el8.1.0+3366+6dfb954c', 'release':'8', 'el_string':'el8.1.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'xml-commons-resolver-1.2-26.module+el8.1.0+3366+6dfb954c', 'release':'8', 'el_string':'el8.1.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'xmlstreambuffer-1.5.4-8.module+el8.1.0+3366+6dfb954c', 'release':'8', 'el_string':'el8.1.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'xsom-0-19.20110809svn.module+el8.1.0+3366+6dfb954c', 'release':'8', 'el_string':'el8.1.0', 'rpm_spec_vers_cmp':TRUE}\n ]\n }\n ],\n 'pki-core:10.6': [\n {\n 'repo_relative_urls': [\n 'content/aus/rhel8/8.2/x86_64/appstream/debug',\n 'content/aus/rhel8/8.2/x86_64/appstream/os',\n 'content/aus/rhel8/8.2/x86_64/appstream/source/SRPMS',\n 'content/aus/rhel8/8.2/x86_64/baseos/debug',\n 'content/aus/rhel8/8.2/x86_64/baseos/os',\n 'content/aus/rhel8/8.2/x86_64/baseos/source/SRPMS',\n 'content/e4s/rhel8/8.2/ppc64le/appstream/debug',\n 'content/e4s/rhel8/8.2/ppc64le/appstream/os',\n 'content/e4s/rhel8/8.2/ppc64le/appstream/source/SRPMS',\n 'content/e4s/rhel8/8.2/ppc64le/baseos/debug',\n 'content/e4s/rhel8/8.2/ppc64le/baseos/os',\n 'content/e4s/rhel8/8.2/ppc64le/baseos/source/SRPMS',\n 'content/e4s/rhel8/8.2/ppc64le/highavailability/debug',\n 'content/e4s/rhel8/8.2/ppc64le/highavailability/os',\n 'content/e4s/rhel8/8.2/ppc64le/highavailability/source/SRPMS',\n 'content/e4s/rhel8/8.2/ppc64le/sap-solutions/debug',\n 'content/e4s/rhel8/8.2/ppc64le/sap-solutions/os',\n 'content/e4s/rhel8/8.2/ppc64le/sap-solutions/source/SRPMS',\n 'content/e4s/rhel8/8.2/ppc64le/sap/debug',\n 'content/e4s/rhel8/8.2/ppc64le/sap/os',\n 'content/e4s/rhel8/8.2/ppc64le/sap/source/SRPMS',\n 'content/e4s/rhel8/8.2/x86_64/appstream/debug',\n 'content/e4s/rhel8/8.2/x86_64/appstream/os',\n 'content/e4s/rhel8/8.2/x86_64/appstream/source/SRPMS',\n 'content/e4s/rhel8/8.2/x86_64/baseos/debug',\n 'content/e4s/rhel8/8.2/x86_64/baseos/os',\n 'content/e4s/rhel8/8.2/x86_64/baseos/source/SRPMS',\n 'content/e4s/rhel8/8.2/x86_64/highavailability/debug',\n 'content/e4s/rhel8/8.2/x86_64/highavailability/os',\n 'content/e4s/rhel8/8.2/x86_64/highavailability/source/SRPMS',\n 'content/e4s/rhel8/8.2/x86_64/sap-solutions/debug',\n 'content/e4s/rhel8/8.2/x86_64/sap-solutions/os',\n 'content/e4s/rhel8/8.2/x86_64/sap-solutions/source/SRPMS',\n 'content/e4s/rhel8/8.2/x86_64/sap/debug',\n 'content/e4s/rhel8/8.2/x86_64/sap/os',\n 'content/e4s/rhel8/8.2/x86_64/sap/source/SRPMS',\n 'content/eus/rhel8/8.2/aarch64/appstream/debug',\n 'content/eus/rhel8/8.2/aarch64/appstream/os',\n 'content/eus/rhel8/8.2/aarch64/appstream/source/SRPMS',\n 'content/eus/rhel8/8.2/aarch64/baseos/debug',\n 'content/eus/rhel8/8.2/aarch64/baseos/os',\n 'content/eus/rhel8/8.2/aarch64/baseos/source/SRPMS',\n 'content/eus/rhel8/8.2/aarch64/codeready-builder/debug',\n 'content/eus/rhel8/8.2/aarch64/codeready-builder/os',\n 'content/eus/rhel8/8.2/aarch64/codeready-builder/source/SRPMS',\n 'content/eus/rhel8/8.2/aarch64/highavailability/debug',\n 'content/eus/rhel8/8.2/aarch64/highavailability/os',\n 'content/eus/rhel8/8.2/aarch64/highavailability/source/SRPMS',\n 'content/eus/rhel8/8.2/aarch64/supplementary/debug',\n 'content/eus/rhel8/8.2/aarch64/supplementary/os',\n 'content/eus/rhel8/8.2/aarch64/supplementary/source/SRPMS',\n 'content/eus/rhel8/8.2/ppc64le/appstream/debug',\n 'content/eus/rhel8/8.2/ppc64le/appstream/os',\n 'content/eus/rhel8/8.2/ppc64le/appstream/source/SRPMS',\n 'content/eus/rhel8/8.2/ppc64le/baseos/debug',\n 'content/eus/rhel8/8.2/ppc64le/baseos/os',\n 'content/eus/rhel8/8.2/ppc64le/baseos/source/SRPMS',\n 'content/eus/rhel8/8.2/ppc64le/codeready-builder/debug',\n 'content/eus/rhel8/8.2/ppc64le/codeready-builder/os',\n 'content/eus/rhel8/8.2/ppc64le/codeready-builder/source/SRPMS',\n 'content/eus/rhel8/8.2/ppc64le/highavailability/debug',\n 'content/eus/rhel8/8.2/ppc64le/highavailability/os',\n 'content/eus/rhel8/8.2/ppc64le/highavailability/source/SRPMS',\n 'content/eus/rhel8/8.2/ppc64le/resilientstorage/debug',\n 'content/eus/rhel8/8.2/ppc64le/resilientstorage/os',\n 'content/eus/rhel8/8.2/ppc64le/resilientstorage/source/SRPMS',\n 'content/eus/rhel8/8.2/ppc64le/sap-solutions/debug',\n 'content/eus/rhel8/8.2/ppc64le/sap-solutions/os',\n 'content/eus/rhel8/8.2/ppc64le/sap-solutions/source/SRPMS',\n 'content/eus/rhel8/8.2/ppc64le/sap/debug',\n 'content/eus/rhel8/8.2/ppc64le/sap/os',\n 'content/eus/rhel8/8.2/ppc64le/sap/source/SRPMS',\n 'content/eus/rhel8/8.2/ppc64le/supplementary/debug',\n 'content/eus/rhel8/8.2/ppc64le/supplementary/os',\n 'content/eus/rhel8/8.2/ppc64le/supplementary/source/SRPMS',\n 'content/eus/rhel8/8.2/s390x/appstream/debug',\n 'content/eus/rhel8/8.2/s390x/appstream/os',\n 'content/eus/rhel8/8.2/s390x/appstream/source/SRPMS',\n 'content/eus/rhel8/8.2/s390x/baseos/debug',\n 'content/eus/rhel8/8.2/s390x/baseos/os',\n 'content/eus/rhel8/8.2/s390x/baseos/source/SRPMS',\n 'content/eus/rhel8/8.2/s390x/codeready-builder/debug',\n 'content/eus/rhel8/8.2/s390x/codeready-builder/os',\n 'content/eus/rhel8/8.2/s390x/codeready-builder/source/SRPMS',\n 'content/eus/rhel8/8.2/s390x/highavailability/debug',\n 'content/eus/rhel8/8.2/s390x/highavailability/os',\n 'content/eus/rhel8/8.2/s390x/highavailability/source/SRPMS',\n 'content/eus/rhel8/8.2/s390x/resilientstorage/debug',\n 'content/eus/rhel8/8.2/s390x/resilientstorage/os',\n 'content/eus/rhel8/8.2/s390x/resilientstorage/source/SRPMS',\n 'content/eus/rhel8/8.2/s390x/sap/debug',\n 'content/eus/rhel8/

(RHSA-2020:0899) Important: Red Hat Decision Manager 7.7.0 Security Update

Description

Related