This table represents the known exploitable and non-exploitable vulnerabilities in third party packages used in the project.


RepositoryGroupProblem Code

Effective/Ineffective

Resolvable by ProjectImpact AnalysisAction
externalapi-nbicom.fasterxml.jackson.coreN/A

Ineffective


DefaultTyping is disabled, polymorphism with default typing or manual setting by property are not used in NBI.


Spring security not used

Yes

jackson-databind is vulnerable to Remote Code Execution (RCE). The createBeanDeserializer() function in the BeanDeserializerFactory class allows untrusted Java objects to be deserialized. A remote attacker can exploit this by uploading a malicious serialized object that will result in RCE if the application attempts to deserialize it.

Note: This vulnerability exists due to the incomplete fix for CVE-2017-7525, CVE-2017-15095, CVE-2017-17485, CVE-2018-5968, CVE-2018-7489, CVE-2018-11307, CVE-2018-12022, CVE-2018-12023, CVE-2018-14718, CVE-2018-14719, CVE-2018-14720, and CVE-2018-14721. Evidence of this can be found at https://pivotal.io/security/cve-2017-4995. The application is vulnerable by using this component, when default typing is enabled and passing in untrusted data to be deserialization.

Check the incoming 2.10.x which is available as pre release for the moment