jackson-databind vulnerable to remote code execution due to incorrect deserialization and blocklist bypass

FasterXML jackson-databind through 2.8.10 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper,...

GHSA-FV7X-4HPC-HF9F Moderate severity vulnerability that affects org.apache.cxf.fediz:fediz-spring, org.apache.cxf.fediz:fediz-spring2, and org.apache.cxf.fediz:fediz-spring3

Apache CXF Fediz ships with a number of container-specific plugins to enable WS-Federation for applications. A CSRF Cross Style Request Forgery style vulnerability has been found in the Spring 2, Spring 3 and Spring 4 plugins in versions before 1.4.3 and 1.3.3. The vulnerability can result in a...

org.apache.cxf.fediz.examples:jaxrsSpringSecurityWebapp (>=1.3.0 <=1.3.2), org.apache.cxf.fediz.examples:springPreauthWebapp (>=1.1.0 <=1.3.2) +6 more potentially affected by CVE-2017-12631 via org.apache.cxf.fediz:fediz-spring (>=1.1.0 <=1.3.2)

org.apache.cxf.fediz:fediz-spring MAVEN version =1.1.0, =1.3.0, =1.1.0, =1.1.0, =1.2.0, =1.2.0, =1.1.0, =1.1.0, =1.1.0, =1.3.2 Source cves: CVE-2017-12631 Source advisory: OSV:GHSA-FV7X-4HPC-HF9F...

org.apache.cxf.fediz.examples:jaxrsSpringSecurityWebapp (>=1.4.0 <=1.4.2), org.apache.cxf.fediz.examples:springPreauthWebapp (>=1.4.0 <=1.4.2) +4 more potentially affected by CVE-2017-12631 via org.apache.cxf.fediz:fediz-spring (>=1.4.0 <=1.4.2)

org.apache.cxf.fediz:fediz-spring MAVEN version =1.4.0, =1.4.0, =1.4.0, =1.4.0, =1.4.0, =1.4.0, =1.4.0, =1.4.2 Source cves: CVE-2017-12631 Source advisory: OSV:GHSA-FV7X-4HPC-HF9F...

org.apache.cxf.fediz.examples:spring2Webapp (>=1.1.0 <=1.3.2), org.apache.cxf.fediz.systests.webapps:fediz-systests-webapps-spring2 (>=1.2.0 <=1.3.2) +2 more potentially affected by CVE-2017-12631 via org.apache.cxf.fediz:fediz-spring2 (>=1.1.0 <=1.3.2)

org.apache.cxf.fediz:fediz-spring2 MAVEN version =1.1.0, =1.1.0, =1.2.0, =1.1.0, =1.1.0, =1.3.2 Source cves: CVE-2017-12631 Source advisory: OSV:GHSA-FV7X-4HPC-HF9F...

Moderate severity vulnerability that affects org.apache.cxf.fediz:fediz-spring, org.apache.cxf.fediz:fediz-spring2, and org.apache.cxf.fediz:fediz-spring3

Apache CXF Fediz ships with a number of container-specific plugins to enable WS-Federation for applications. A CSRF Cross Style Request Forgery style vulnerability has been found in the Spring 2, Spring 3 and Spring 4 plugins in versions before 1.4.3 and 1.3.3. The vulnerability can result in a...

org.apache.cxf.fediz.examples:spring2Webapp (>=1.4.0 <=1.4.2), org.apache.cxf.fediz.systests.webapps:fediz-systests-webapps-spring2 (>=1.4.0 <=1.4.2) +1 more potentially affected by CVE-2017-12631 via org.apache.cxf.fediz:fediz-spring2 (>=1.4.0 <=1.4.2)

org.apache.cxf.fediz:fediz-spring2 MAVEN version =1.4.0, =1.4.0, =1.4.0, =1.4.0, =1.4.2 Source cves: CVE-2017-12631 Source advisory: OSV:GHSA-FV7X-4HPC-HF9F...

org.apache.cxf.fediz.examples:jaxrsSpringSecurityWebapp (=1.3.0), org.apache.cxf.fediz.examples:springPreauthWebapp (=1.3.0) +4 more potentially affected by CVE-2016-4464 via org.apache.cxf.fediz:fediz-spring (=1.3.0)

org.apache.cxf.fediz:fediz-spring MAVEN version =1.3.0 is affected by a known vulnerability. The following packages have a transitive dependency on org.apache.cxf.fediz:fediz-spring and may be impacted: - org.apache.cxf.fediz.examples:jaxrsSpringSecurityWebapp =1.3.0 -...

GHSA-QPWJ-MVV7-V3M9 High severity vulnerability that affects org.apache.cxf.fediz:fediz-spring and org.apache.cxf.fediz:fediz-spring2

The application plugins in Apache CXF Fediz 1.2.x before 1.2.3 and 1.3.x before 1.3.1 do not match SAML AudienceRestriction values against configured audience URIs, which might allow remote attackers to have bypass intended restrictions and have unspecified other impact via a crafted SAML token...

org.apache.cxf.fediz.examples:springPreauthWebapp (>=1.2.0 <=1.2.2), org.apache.cxf.fediz.examples:springWebapp (>=1.2.0 <=1.2.2) +3 more potentially affected by CVE-2016-4464 via org.apache.cxf.fediz:fediz-spring (>=1.2.0 <=1.2.2)

org.apache.cxf.fediz:fediz-spring MAVEN version =1.2.0, =1.2.0, =1.2.0, =1.2.0, =1.2.0, =1.2.0, =1.2.2 Source cves: CVE-2016-4464 Source advisory: OSV:GHSA-QPWJ-MVV7-V3M9...

org.apache.cxf.fediz.examples:spring2Webapp (=1.3.0), org.apache.cxf.fediz.systests.webapps:fediz-systests-webapps-spring2 (=1.3.0) +1 more potentially affected by CVE-2016-4464 via org.apache.cxf.fediz:fediz-spring2 (=1.3.0)

org.apache.cxf.fediz:fediz-spring2 MAVEN version =1.3.0 is affected by a known vulnerability. The following packages have a transitive dependency on org.apache.cxf.fediz:fediz-spring2 and may be impacted: - org.apache.cxf.fediz.examples:spring2Webapp =1.3.0 -...

org.apache.cxf.fediz.examples:jaxrsSpringSecurityWebapp (>=1.3.0 <=1.4.3), org.apache.cxf.fediz.examples:springPreauthWebapp (>=1.1.0 <=1.4.3) +6 more potentially affected by CVE-2018-8038 via org.apache.cxf.fediz:fediz-spring (>=1.1.0 <=1.4.3)

org.apache.cxf.fediz:fediz-spring MAVEN version =1.1.0, =1.3.0, =1.1.0, =1.1.0, =1.2.0, =1.2.0, =1.1.0, =1.1.0, =1.1.0, =1.4.3 Source cves: CVE-2018-8038 Source advisory: OSV:GHSA-W3GH-G32M-CVHR...

GHSA-W3GH-G32M-CVHR High severity vulnerability that affects org.apache.cxf.fediz:fediz-jetty8, org.apache.cxf.fediz:fediz-jetty9, org.apache.cxf.fediz:fediz-spring, org.apache.cxf.fediz:fediz-spring2, and org.apache.cxf.fediz:fediz-spring3

Versions of Apache CXF Fediz prior to 1.4.4 do not fully disable Document Type Declarations DTDs when either parsing the Identity Provider response in the application plugins, or in the Identity Provider itself when parsing certain XML-based parameters...

GHSA-WHW7-H25V-9QVX Moderate severity vulnerability that affects org.apache.cxf.fediz:fediz-jetty8, org.apache.cxf.fediz:fediz-jetty9, and org.apache.cxf.fediz:fediz-spring2

Apache CXF Fediz ships with a number of container-specific plugins to enable WS-Federation for applications. A CSRF Cross Style Request Forgery style vulnerability has been found in the Spring 2, Spring 3, Jetty 8 and Jetty 9 plugins in Apache CXF Fediz prior to 1.4.0, 1.3.2 and 1.2.4...

org.apache.cxf.fediz.examples:spring2Webapp (>=1.1.0 <=1.2.3), org.apache.cxf.fediz.systests.webapps:fediz-systests-webapps-spring2 (>=1.2.0 <=1.2.3) +2 more potentially affected by CVE-2017-7661 via org.apache.cxf.fediz:fediz-spring2 (>=1.1.0 <=1.2.3)

org.apache.cxf.fediz:fediz-spring2 MAVEN version =1.1.0, =1.1.0, =1.2.0, =1.1.0, =1.1.0, =1.2.3 Source cves: CVE-2017-7661 Source advisory: OSV:GHSA-WHW7-H25V-9QVX...

Moderate severity vulnerability that affects org.apache.cxf.fediz:fediz-jetty8, org.apache.cxf.fediz:fediz-jetty9, and org.apache.cxf.fediz:fediz-spring2

Apache CXF Fediz ships with a number of container-specific plugins to enable WS-Federation for applications. A CSRF Cross Style Request Forgery style vulnerability has been found in the Spring 2, Spring 3, Jetty 8 and Jetty 9 plugins in Apache CXF Fediz prior to 1.4.0, 1.3.2 and 1.2.4...

Important: Red Hat Security Advisory: Red Hat OpenShift Application Runtimes Spring Boot 1.5.16 update

An update is now available for Red Hat OpenShift Application Runtimes. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from t...

ColumnPack:ColumnPack-plugin (=1.0.3), CustomHistory:CustomHistory (>=1.1 <=1.3) +17184 more potentially affected by CVE-2016-5007 via org.springframework:spring-core (>=1.2 <=4.3.0.RELEASE)

org.springframework:spring-core MAVEN version =1.2, =1.1, =1.3, =0.0.1, =0.1.6, =0.1.4-SB1X, =0.1.0, =0.1.0, =1.0, =5.0.9, =0.0.20, =0.0.34 - ar.com.onready:spring-resttemplate-logger =1.0.2 - at.chrl:chrl-jms =1.1.0 and more Source cves: CVE-2016-5007 Source advisory: OSV:GHSA-8CRV-49FR-2H6J...

ai.foremast.metrics:foremast-spring-boot-1x-k8s-metrics-starter (>=0.1.6 <=0.1.7), ai.foremast.metrics:foremast-spring-boot-k8s-metrics-starter (>=0.1.4-SB1X <=0.1.4-SB1X_6) +2039 more potentially affected by CVE-2016-5007 via org.springframework.security:spring-security-core (>=2.0.0 <=4.1.0.RELEASE)

org.springframework.security:spring-security-core MAVEN version =2.0.0, =0.1.6, =0.1.4-SB1X, =1.1.0.RELEASE, =1.3.1-RELEASE, =0.3.3, =1.2.1, =2.0.0, =1.0.0, =1.0.0, =0.0.2, =0.4.0, =0.3.0, =0.7.0 - com.17jee:e-cloud-authorize =3.0.0.RELEASE and more Source cves: CVE-2016-5007 Source advisory:...

Spring Security and Spring Framework may not recognize certain paths that should be protected

Both Spring Security 3.2.x, 4.0.x, 4.1.0 and the Spring Framework 3.2.x, 4.0.x, 4.1.x, 4.2.x as well as other unsupported versions rely on URL pattern mappings for authorization and for mapping requests to controllers respectively. Differences in the strictness of the pattern matching mechanisms,...