176 matches found
CVE-2018-12022
CVE-2018-12022 affects FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (globally or for a property) and the service classpath contains the Jodd‑db jar (for Jodd DB access) with an LDAP service available, an attacker can trigger remote code executio...
[SECURITY] Fedora 29 Update: jackson-annotations-2.9.8-1.fc29
Core annotations used for value types, used by Jackson data-binding package...
[SECURITY] Fedora 29 Update: jackson-databind-2.9.8-1.fc29
The general-purpose data-binding functionality and tree-model for Jackson D ata Processor. It builds on core streaming parser/generator package, and uses Jackson Annotations for configuration...
jackson-databind: incomplete fix for CVE-2017-7525 permits unsafe serialization via c3p0 libraries
A flaw was discovered in FasterXML jackson-databind, where it would permit polymorphic deserialization of malicious objects using the c3p0 gadget when used in conjunction with polymorphic type handling methods such as enableDefaultTyping or when @JsonTypeInfo is using Id.CLASS or Id.MINIMALCLASS ...
[SECURITY] Fedora 27 Update: jackson-databind-2.7.6-8.fc27
General data-binding functionality for Jackson: works on core streaming API...
[SECURITY] Fedora 26 Update: jackson-databind-2.7.6-8.fc26
General data-binding functionality for Jackson: works on core streaming API...
Design/Logic Flaw
An issue was discovered in Pivotal Spring Web Flow through 2.4.5. Applications that do not change the value of the MvcViewFactoryCreator useSpringBinding property which is disabled by default i.e., set to 'false' can be vulnerable to malicious EL expressions in view states that process form...
CVE-2017-8039
An issue was discovered in Pivotal Spring Web Flow through 2.4.5. Applications that do not change the value of the MvcViewFactoryCreator useSpringBinding property which is disabled by default i.e., set to 'false' can be vulnerable to malicious EL expressions in view states that process form...
[SECURITY] Fedora 26 Update: jackson-databind-2.7.6-5.fc26
General data-binding functionality for Jackson: works on core streaming API...
[SECURITY] Fedora 27 Update: jackson-databind-2.7.6-5.fc27
General data-binding functionality for Jackson: works on core streaming API...
Data Binding Expression Vulnerability
spring-webflow is vulnerable to a data binding expression vulnerability. The vulnerability is caused when the MvcViewFactoryCreator useSpringBinding property is set to false by default. Therefore, applications which use the default settings are vulnerable to malicious EL expressions in view state...
[SECURITY] Fedora 26 Update: jackson-databind-2.7.6-3.fc26
General data-binding functionality for Jackson: works on core streaming API...
[SECURITY] Fedora 25 Update: jackson-databind-2.7.6-3.fc25
General data-binding functionality for Jackson: works on core streaming API...
[SECURITY] Fedora 24 Update: jackson-databind-2.6.3-3.fc24
General data-binding functionality for Jackson: works on core streaming API...
CVE-2017-4971
An issue was discovered in Pivotal Spring Web Flow through 2.4.4. Applications that do not change the value of the MvcViewFactoryCreator useSpringBinding property which is disabled by default i.e., set to 'false' can be vulnerable to malicious EL expressions in view states that process form...
CVE-2017-4971
An issue was discovered in Pivotal Spring Web Flow through 2.4.4. Applications that do not change the value of the MvcViewFactoryCreator useSpringBinding property which is disabled by default i.e., set to 'false' can be vulnerable to malicious EL expressions in view states that process form...
Pivotal Spring Web Flow Security Bypass Vulnerability(CVE-2017-4971)
Author: iswin@ThreatHunter A. Vulnerability description This vulnerability is in year 6 at the beginning has just been submittedtransfer Gate, the official and there is no detailed information, by the official Description and a patch of the contrast, we can roughly infer should be the Spring Web...
CVE-2017-4971: Spring WebFlow remote code execution vulnerability analysis-vulnerability warning-the black bar safety net
Spring severe of these vulnerabilities have traditionally not too much, before the more serious that problem is Spring's JavaBean automatic binding function, the result can be control class, which can lead to the use of certain characteristics of the execution of arbitrary code, but that...
Pivotal Spring Web Flow Remote Code Execution Vulnerability
Pivotal Spring Web Flow is a web application from Pivotal Software, Inc. that provides navigation for check-in, loan application or shopping cart checkout. A remote code execution vulnerability exists in Pivotal Spring Web Flow versions 2.4.0 through 2.4.4. The vulnerability is caused due to a...
Data Binding Expression Vulnerability
Spring Web Flow is vulnerable to a data binding expression vulnerability. The vulnerability is possible because the MvcViewFactoryCreator useSpringBinding property is set to false by default. Therefore, the applications which use the default settings are vulnerable to malicious EL expressions in...