odc-analyzer/test/resources/dependency-check-report-maven.xml

<?xml version="1.0"?><analysis xmlns="https://jeremylong.github.io/DependencyCheck/dependency-check.2.2.xsd"><scanInfo><engineVersion>5.2.4</engineVersion><dataSource><name>NVD CVE Checked</name><timestamp>2019-11-21T13:01:40</timestamp></dataSource><dataSource><name>NVD CVE Modified</name><timestamp>2019-11-21T07:03:50</timestamp></dataSource></scanInfo><projectInfo><name>java-demo-project</name><groupID>com.ysoft.security</groupID>        <artifactID>java-demo-project</artifactID><version>1.0-SNAPSHOT</version><reportDate>2020-01-28T12:41:14.891858Z</reportDate><credits>This report contains data retrieved from the National Vulnerability Database: https://nvd.nist.gov, NPM Public Advisories: https://www.npmjs.com/advisories, and the RetireJS community.</credits></projectInfo><dependencies><dependency isVirtual="false"><fileName>commons-collections-3.2.1.jar</fileName><filePath>/home/user/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar</filePath><md5>13bc641afd7fd95e09b260f69c1e4c91</md5><sha1>761ea405b9b37ced573d2df0d1e3a4e0f9edc668</sha1><sha256>87363a4c94eaabeefd8b930cb059f66b64c9f7d632862f23de3012da7660047b</sha256><description>Types that extend and augment the Java Collections Framework.</description><license>http://www.apache.org/licenses/LICENSE-2.0.txt</license><projectReferences><projectReference>java-demo-project:compile</projectReference></projectReferences><evidenceCollected><evidence type="vendor" confidence="MEDIUM"><source>Manifest</source><name>Implementation-Vendor-Id</name><value>org.apache</value></evidence><evidence type="vendor" confidence="LOW"><source>Manifest</source><name>specification-vendor</name><value>The Apache Software Foundation</value></evidence><evidence type="vendor" confidence="HIGH"><source>Manifest</source><name>Implementation-Vendor</name><value>The Apache Software Foundation</value></evidence><evidence type="vendor" confidence="HIGH"><source>pom</source><name>name</name><value>Commons Collections</value></evidence><evidence type="vendor" confidence="LOW"><source>Manifest</source><name>bundle-docurl</name><value>http://commons.apache.org/collections/</value></evidence><evidence type="vendor" confidence="LOW"><source>pom</source><name>artifactid</name><value>commons-collections</value></evidence><evidence type="vendor" confidence="MEDIUM"><source>pom</source><name>parent-groupid</name><value>org.apache.commons</value></evidence><evidence type="vendor" confidence="LOW"><source>pom</source><name>parent-artifactid</name><value>commons-parent</value></evidence><evidence type="vendor" confidence="HIGH"><source>file</source><name>name</name><value>commons-collections</value></evidence><evidence type="vendor" confidence="HIGHEST"><source>jar</source><name>package name</name><value>apache</value></evidence><evidence type="vendor" confidence="MEDIUM"><source>Manifest</source><name>bundle-symbolicname</name><value>org.apache.commons.collections</value></evidence><evidence type="vendor" confidence="HIGHEST"><source>pom</source><name>url</name><value>http://commons.apache.org/collections/</value></evidence><evidence type="vendor" confidence="HIGHEST"><source>jar</source><name>package name</name><value>commons</value></evidence><evidence type="vendor" confidence="HIGHEST"><source>jar</source><name>package name</name><value>collections</value></evidence><evidence type="vendor" confidence="HIGHEST"><source>pom</source><name>groupid</name><value>commons-collections</value></evidence><evidence type="product" confidence="HIGH"><source>pom</source><name>name</name><value>Commons Collections</value></evidence><evidence type="product" confidence="LOW"><source>Manifest</source><name>bundle-docurl</name><value>http://commons.apache.org/collections/</value></evidence><evidence type="product" confidence="HIGH"><source>Manifest</source><name>Implementation-Title</name><value>Commons Collections</value></evidence><evidence type="product" confidence="LOW"><source>pom</source><name>parent-groupid</name><value>org.apache.commons</value></evidence><evidence type="product" confidence="MEDIUM"><source>pom</source><name>parent-artifactid</name><value>commons-parent</value></evidence><evidence type="product" confidence="MEDIUM"><source>Manifest</source><name>Bundle-Name</name><value>Commons Collections</value></evidence><evidence type="product" confidence="HIGHEST"><source>pom</source><name>artifactid</name><value>commons-collections</value></evidence><evidence type="product" confidence="HIGH"><source>file</source><name>name</name><value>commons-collections</value></evidence><evidence type="product" confidence="MEDIUM"><source>Manifest</source><name>specification-title</name><value>Commons Collections</value></evidence><evidence type="product" confidence="HIGHEST"><source>jar</source><name>package name</name><value>apache</value></evidence><evidence type="product" confidence="MEDIUM"><source>Manifest</source><name>bundle-symbolicname</name><value>org.apache.commons.collections</value></evidence><evidence type="product" confidence="HIGHEST"><source>jar</source><name>package name</name><value>commons</value></evidence><evidence type="product" confidence="MEDIUM"><source>pom</source><name>url</name><value>http://commons.apache.org/collections/</value></evidence><evidence type="product" confidence="HIGHEST"><source>jar</source><name>package name</name><value>collections</value></evidence><evidence type="product" confidence="LOW"><source>pom</source><name>groupid</name><value>commons-collections</value></evidence><evidence type="version" confidence="HIGH"><source>Manifest</source><name>Implementation-Version</name><value>3.2.1</value></evidence><evidence type="version" confidence="HIGHEST"><source>file</source><name>version</name><value>3.2.1</value></evidence><evidence type="version" confidence="HIGH"><source>Manifest</source><name>Bundle-Version</name><value>3.2.1</value></evidence><evidence type="version" confidence="HIGHEST"><source>pom</source><name>version</name><value>3.2.1</value></evidence><evidence type="version" confidence="LOW"><source>pom</source><name>parent-version</name><value>3.2.1</value></evidence></evidenceCollected><identifiers><package confidence="HIGH"><id>pkg:maven/commons-collections/commons-collections@3.2.1</id><url>https://ossindex.sonatype.org/component/pkg:maven/commons-collections/commons-collections@3.2.1</url></package><vulnerabilityIds confidence="HIGH"><id>pkg:maven/commons-collections/commons-collections@3.2.1</id><url>https://ossindex.sonatype.org/component/pkg:maven/commons-collections/commons-collections@3.2.1</url></vulnerabilityIds></identifiers><vulnerabilities><vulnerability source="NVD"><name>CVE-2015-6420</name><severity>HIGH</severity><cvssV2><score>7.5</score><accessVector>NETWORK</accessVector><accessComplexity>LOW</accessComplexity><authenticationr>NONE</authenticationr><confidentialImpact>PARTIAL</confidentialImpact><integrityImpact>PARTIAL</integrityImpact><availabilityImpact>PARTIAL</availabilityImpact><severity>HIGH</severity></cvssV2><cwes><cwe>CWE-502</cwe></cwes><description>Serialized-object interfaces in certain Cisco Collaboration and Social Media; Endpoint Clients and Client Software; Network Application, Service, and Acceleration; Network and Content Security Devices; Network Management and Provisioning; Routing and Switching - Enterprise and Service Provider; Unified Computing; Voice and Unified Communications Devices; Video, Streaming, TelePresence, and Transcoding Devices; Wireless; and Cisco Hosted Services products allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library.</description><references><reference><source>CONFIRM</source><url>https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05376917</url><name>https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05376917</name></reference><reference><source>BID</source><url>http://www.securityfocus.com/bid/78872</url><name>78872</name></reference><reference><source>CONFIRM</source><url>http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html</url><name>http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html</name></reference><reference><source>CISCO</source><url>http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151209-java-deserialization</url><name>20151209 Vulnerability in Java Deserialization Affecting Cisco Products</name></reference><reference><source>MISC</source><url>https://www.tenable.com/security/research/tra-2017-14</url><name>https://www.tenable.com/security/research/tra-2017-14</name></reference><reference><source>CONFIRM</source><url>https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05390722</url><name>https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05390722</name></reference><reference><source>CERT-VN</source><url>https://www.kb.cert.org/vuls/id/581311</url><name>VU#581311</name></reference><reference><source>MISC</source><url>https://www.kb.cert.org/vuls/id/576313</url><name>https://www.kb.cert.org/vuls/id/576313</name></reference><reference><source>OSSINDEX</source><url>https://ossindex.sonatype.org/vuln/ac157388-2d0e-4c78-b3f4-033572d19286</url><name>[CVE-2015-6420] Serialized-object interfaces in certain Cisco Collaboration and Social Media; En...</name></reference><reference><source>MISC</source><url>https://www.tenable.com/security/research/tra-2017-23</url><name>https://www.tenable.com/security/research/tra-2017-23</name></reference></references><vulnerableSoftware><software>cpe:2.3:a:apache:commons_collections:4.0:*:*:*:*:*:*:*</software><software vulnerabilityIdMatched="true" versionEndIncluding="3.2.1">cpe:2.3:a:apache:commons_collections:*:*:*:*:*:*:*:*</software></vulnerableSoftware></vulnerability><vulnerability source="NVD"><name>CVE-2017-15708</name><severity>CRITICAL</severity><cvssV2><score>7.5</score><accessVector>NETWORK</accessVector><accessComplexity>LOW</accessComplexity><authenticationr>NONE</authenticationr><confidentialImpact>PARTIAL</confidentialImpact><integrityImpact>PARTIAL</integrityImpact><availabilityImpact>PARTIAL</availabilityImpact><severity>HIGH</severity></cvssV2><cvssV3><baseScore>9.8</baseScore><attackVector>NETWORK</attackVector><attackComplexity>LOW</attackComplexity><privilegesRequired>NONE</privilegesRequired><userInteraction>NONE</userInteraction><scope>UNCHANGED</scope><confidentialityImpact>HIGH</confidentialityImpact><integrityImpact>HIGH</integrityImpact><availabilityImpact>HIGH</availabilityImpact><baseSeverity>CRITICAL</baseSeverity></cvssV3><cwes><cwe>CWE-74</cwe></cwes><description>In Apache Synapse, by default no authentication is required for Java Remote Method Invocation (RMI). So Apache Synapse 3.0.1 or all previous releases (3.0.0, 2.1.0, 2.0.0, 1.2, 1.1.2, 1.1.1) allows remote code execution attacks that can be performed by injecting specially crafted serialized objects. And the presence of Apache Commons Collections 3.2.1 (commons-collections-3.2.1.jar) or previous versions in Synapse distribution makes this exploitable. To mitigate the issue, we need to limit RMI access to trusted users only. Further upgrading to 3.0.1 version will eliminate the risk of having said Commons Collection version. In Synapse 3.0.1, Commons Collection has been updated to 3.2.2 version.</description><references><reference><source>MLIST</source><url>https://lists.apache.org/thread.html/77f2accf240d25d91b47033e2f8ebec84ffbc6e6627112b2f98b66c9@%3Cdev.synapse.apache.org%3E</url><name>[dev] 20171210 [CVE-2017-15708] Apache Synapse Remote Code Execution Vulnerability</name></reference><reference><source>BID</source><url>http://www.securityfocus.com/bid/102154</url><name>102154</name></reference><reference><source>OSSINDEX</source><url>https://ossindex.sonatype.org/vuln/9b28a5d2-9be7-4414-a59b-98e25e4c608a</url><name>[CVE-2017-15708] In Apache Synapse, by default no authentication is required for Java Remote Meth...</name></reference></references><vulnerableSoftware><software>cpe:2.3:a:apache:synapse:1.1.1:*:*:*:*:*:*:*</software><software>cpe:2.3:a:apache:synapse:1.1:*:*:*:*:*:*:*</software><software vulnerabilityIdMatched="true" versionEndIncluding="3.2.1">cpe:2.3:a:apache:commons_collections:*:*:*:*:*:*:*:*</software><software>cpe:2.3:a:apache:synapse:1.1.2:*:*:*:*:*:*:*</software><software>cpe:2.3:a:apache:synapse:1.0:*:*:*:*:*:*:*</software><software>cpe:2.3:a:apache:synapse:2.1.0:*:*:*:*:*:*:*</software><software>cpe:2.3:a:apache:synapse:2.0.0:*:*:*:*:*:*:*</software><software>cpe:2.3:a:apache:synapse:3.0.0:*:*:*:*:*:*:*</software><software>cpe:2.3:a:apache:synapse:1.2:*:*:*:*:*:*:*</software></vulnerableSoftware></vulnerability><vulnerability source="OSSINDEX"><name>Remote code execution</name><severity>0.0</severity><description>&gt; It was found that a flaw in commons-collection library allowed remote code execution wherever deserialization occurs. While JBoss doesnt expose the JMXInvokerServlet by default, other interfaces where deserialization occur might be vulnerable.
&gt; 
&gt; -- [redhat.com](https://bugzilla.redhat.com/show_bug.cgi?id=1279330)</description><references><reference><source>OSSINDEX</source><url>https://ossindex.sonatype.org/vuln/ed5505cd-2b5b-4ca6-ab51-28ca91263b4e</url><name>Remote code execution</name></reference></references><vulnerableSoftware><software vulnerabilityIdMatched="true">cpe:2.3:a:commons-collections:commons-collections:3.2.1:*:*:*:*:*:*:*</software></vulnerableSoftware></vulnerability></vulnerabilities></dependency><dependency isVirtual="false"><fileName>commons-cli-1.4.jar</fileName><filePath>/home/user/.m2/repository/commons-cli/commons-cli/1.4/commons-cli-1.4.jar</filePath><md5>c966d7e03507c834d5b09b848560174e</md5><sha1>c51c00206bb913cd8612b24abd9fa98ae89719b1</sha1><sha256>fd3c7c9545a9cdb2051d1f9155c4f76b1e4ac5a57304404a6eedb578ffba7328</sha256><description>
    Apache Commons CLI provides a simple API for presenting, processing and validating a command line interface.
  </description><license>https://www.apache.org/licenses/LICENSE-2.0.txt</license><projectReferences><projectReference>java-demo-project:compile</projectReference></projectReferences><evidenceCollected><evidence type="vendor" confidence="MEDIUM"><source>Manifest</source><name>Implementation-Vendor-Id</name><value>org.apache</value></evidence><evidence type="vendor" confidence="LOW"><source>Manifest</source><name>specification-vendor</name><value>The Apache Software Foundation</value></evidence><evidence type="vendor" confidence="HIGH"><source>pom</source><name>name</name><value>Apache Commons CLI</value></evidence><evidence type="vendor" confidence="HIGH"><source>Manifest</source><name>Implementation-Vendor</name><value>The Apache Software Foundation</value></evidence><evidence type="vendor" confidence="HIGHEST"><source>pom</source><name>groupid</name><value>commons-cli</value></evidence><evidence type="vendor" confidence="LOW"><source>Manifest</source><name>require-capability</name><value>osgi.ee;filter:=&quot;(&amp;(osgi.ee=JavaSE)(version=1.5))&quot;</value></evidence><evidence type="vendor" confidence="HIGHEST"><source>pom</source><name>url</name><value>http://commons.apache.org/proper/commons-cli/</value></evidence><evidence type="vendor" confidence="MEDIUM"><source>pom</source><name>parent-groupid</name><value>org.apache.commons</value></evidence><evidence type="vendor" confidence="LOW"><source>pom</source><name>parent-artifactid</name><value>commons-parent</value></evidence><evidence type="vendor" confidence="LOW"><source>Manifest</source><name>implementation-url</name><value>http://commons.apache.org/proper/commons-cli/</value></evidence><evidence type="vendor" confidence="HIGHEST"><source>jar</source><name>package name</name><value>cli</value></evidence><evidence type="vendor" confidence="HIGHEST"><source>jar</source><name>package name</name><value>apache</value></evidence><evidence type="vendor" confidence="LOW"><source>pom</source><name>artifactid</name><value>commons-cli</value></evidence><evidence type="vendor" confidence="LOW"><source>Manifest</source><name>implementation-build</name><value>tags/cli-1.4-RC1@r1786159; 2017-03-09 13:01:35+0000</value></evidence><evidence type="vendor" confidence="HIGHEST"><source>jar</source><name>package name</name><value>commons</value></evidence><evidence type="vendor" confidence="HIGH"><source>file</source><name>name</name><value>commons-cli</value></evidence><evidence type="vendor" confidence="MEDIUM"><source>Manifest</source><name>bundle-symbolicname</name><value>org.apache.commons.cli</value></evidence><evidence type="vendor" confidence="LOW"><source>Manifest</source><name>bundle-docurl</name><value>http://commons.apache.org/proper/commons-cli/</value></evidence><evidence type="product" confidence="LOW"><source>pom</source><name>groupid</name><value>commons-cli</value></evidence><evidence type="product" confidence="HIGH"><source>pom</source><name>name</name><value>Apache Commons CLI</value></evidence><evidence type="product" confidence="LOW"><source>Manifest</source><name>require-capability</name><value>osgi.ee;filter:=&quot;(&amp;(osgi.ee=JavaSE)(version=1.5))&quot;</value></evidence><evidence type="product" confidence="MEDIUM"><source>pom</source><name>url</name><value>http://commons.apache.org/proper/commons-cli/</value></evidence><evidence type="product" confidence="LOW"><source>pom</source><name>parent-groupid</name><value>org.apache.commons</value></evidence><evidence type="product" confidence="MEDIUM"><source>pom</source><name>parent-artifactid</name><value>commons-parent</value></evidence><evidence type="product" confidence="LOW"><source>Manifest</source><name>implementation-url</name><value>http://commons.apache.org/proper/commons-cli/</value></evidence><evidence type="product" confidence="HIGHEST"><source>jar</source><name>package name</name><value>cli</value></evidence><evidence type="product" confidence="MEDIUM"><source>Manifest</source><name>Bundle-Name</name><value>Apache Commons CLI</value></evidence><evidence type="product" confidence="HIGHEST"><source>jar</source><name>package name</name><value>apache</value></evidence><evidence type="product" confidence="MEDIUM"><source>Manifest</source><name>specification-title</name><value>Apache Commons CLI</value></evidence><evidence type="product" confidence="LOW"><source>Manifest</source><name>implementation-build</name><value>tags/cli-1.4-RC1@r1786159; 2017-03-09 13:01:35+0000</value></evidence><evidence type="product" confidence="HIGHEST"><source>jar</source><name>package name</name><value>commons</value></evidence><evidence type="product" confidence="HIGHEST"><source>pom</source><name>artifactid</name><value>commons-cli</value></evidence><evidence type="product" confidence="HIGH"><source>file</source><name>name</name><value>commons-cli</value></evidence><evidence type="product" confidence="HIGH"><source>Manifest</source><name>Implementation-Title</name><value>Apache Commons CLI</value></evidence><evidence type="product" confidence="MEDIUM"><source>Manifest</source><name>bundle-symbolicname</name><value>org.apache.commons.cli</value></evidence><evidence type="product" confidence="LOW"><source>Manifest</source><name>bundle-docurl</name><value>http://commons.apache.org/proper/commons-cli/</value></evidence><evidence type="version" confidence="LOW"><source>pom</source><name>parent-version</name><value>1.4</value></evidence><evidence type="version" confidence="HIGHEST"><source>pom</source><name>version</name><value>1.4</value></evidence><evidence type="version" confidence="HIGH"><source>Manifest</source><name>Implementation-Version</name><value>1.4</value></evidence><evidence type="version" confidence="HIGHEST"><source>file</source><name>version</name><value>1.4</value></evidence></evidenceCollected><identifiers><package confidence="HIGH"><id>pkg:maven/commons-cli/commons-cli@1.4</id><url>https://ossindex.sonatype.org/component/pkg:maven/commons-cli/commons-cli@1.4</url></package><vulnerabilityIds confidence="HIGH"><id>pkg:maven/commons-cli/commons-cli@1.4</id><url>https://ossindex.sonatype.org/component/pkg:maven/commons-cli/commons-cli@1.4</url></vulnerabilityIds></identifiers></dependency><dependency isVirtual="false"><fileName>jackson-databind-2.9.7.jar</fileName><filePath>/home/user/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.7/jackson-databind-2.9.7.jar</filePath><md5>2916db8b36f4078f07dd9580bccec6c2</md5><sha1>e6faad47abd3179666e89068485a1b88a195ceb7</sha1><sha256>675376decfc070b039d2be773a97002f1ee1e1346d95bd99feee0d56683a92bf</sha256><description>General data-binding functionality for Jackson: works on core streaming API</description><license>http://www.apache.org/licenses/LICENSE-2.0.txt</license><projectReferences><projectReference>java-demo-project:compile</projectReference></projectReferences><evidenceCollected><evidence type="vendor" confidence="HIGHEST"><source>pom</source><name>groupid</name><value>com.fasterxml.jackson.core</value></evidence><evidence type="vendor" confidence="HIGH"><source>Manifest</source><name>Implementation-Vendor</name><value>FasterXML</value></evidence><evidence type="vendor" confidence="HIGHEST"><source>jar</source><name>package name</name><value>fasterxml</value></evidence><evidence type="vendor" confidence="HIGH"><source>pom</source><name>name</name><value>jackson-databind</value></evidence><evidence type="vendor" confidence="HIGHEST"><source>jar</source><name>package name</name><value>jackson</value></evidence><evidence type="vendor" confidence="HIGHEST"><source>pom</source><name>url</name><value>http://github.com/FasterXML/jackson</value></evidence><evidence type="vendor" confidence="HIGH"><source>file</source><name>name</name><value>jackson-databind</value></evidence><evidence type="vendor" confidence="MEDIUM"><source>pom</source><name>parent-groupid</name><value>com.fasterxml.jackson</value></evidence><evidence type="vendor" confidence="LOW"><source>pom</source><name>artifactid</name><value>jackson-databind</value></evidence><evidence type="vendor" confidence="LOW"><source>Manifest</source><name>implementation-build-date</name><value>2018-09-19 02:48:44+0000</value></evidence><evidence type="vendor" confidence="HIGHEST"><source>jar</source><name>package name</name><value>databind</value></evidence><evidence type="vendor" confidence="HIGHEST"><source>pom</source><name>groupid</name><value>fasterxml.jackson.core</value></evidence><evidence type="vendor" confidence="MEDIUM"><source>Manifest</source><name>Implementation-Vendor-Id</name><value>com.fasterxml.jackson.core</value></evidence><evidence type="vendor" confidence="LOW"><source>Manifest</source><name>bundle-docurl</name><value>http://github.com/FasterXML/jackson</value></evidence><evidence type="vendor" confidence="LOW"><source>Manifest</source><name>require-capability</name><value>osgi.ee;filter:=&quot;(&amp;(osgi.ee=JavaSE)(version=1.7))&quot;</value></evidence><evidence type="vendor" confidence="MEDIUM"><source>Manifest</source><name>automatic-module-name</name><value>com.fasterxml.jackson.databind</value></evidence><evidence type="vendor" confidence="MEDIUM"><source>Manifest</source><name>bundle-symbolicname</name><value>com.fasterxml.jackson.core.jackson-databind</value></evidence><evidence type="vendor" confidence="LOW"><source>pom</source><name>parent-artifactid</name><value>jackson-base</value></evidence><evidence type="vendor" confidence="LOW"><source>Manifest</source><name>specification-vendor</name><value>FasterXML</value></evidence><evidence type="product" confidence="HIGHEST"><source>jar</source><name>package name</name><value>fasterxml</value></evidence><evidence type="product" confidence="HIGH"><source>pom</source><name>name</name><value>jackson-databind</value></evidence><evidence type="product" confidence="MEDIUM"><source>Manifest</source><name>specification-title</name><value>jackson-databind</value></evidence><evidence type="product" confidence="HIGHEST"><source>jar</source><name>package name</name><value>jackson</value></evidence><evidence type="product" confidence="MEDIUM"><source>pom</source><name>url</name><value>http://github.com/FasterXML/jackson</value></evidence><evidence type="product" confidence="HIGHEST"><source>pom</source><name>artifactid</name><value>jackson-databind</value></evidence><evidence type="product" confidence="HIGH"><source>file</source><name>name</name><value>jackson-databind</value></evidence><evidence type="product" confidence="HIGH"><source>Manifest</source><name>Implementation-Title</name><value>jackson-databind</value></evidence><evidence type="product" confidence="LOW"><source>pom</source><name>parent-groupid</name><value>com.fasterxml.jackson</value></evidence><evidence type="product" confidence="LOW"><source>pom</source><name>groupid</name><value>fasterxml.jackson.core</value></evidence><evidence type="product" confidence="LOW"><source>Manifest</source><name>implementation-build-date</name><value>2018-09-19 02:48:44+0000</value></evidence><evidence type="product" confidence="HIGHEST"><source>jar</source><name>package name</name><value>databind</value></evidence><evidence type="product" confidence="LOW"><source>Manifest</source><name>bundle-docurl</name><value>http://github.com/FasterXML/jackson</value></evidence><evidence type="product" confidence="MEDIUM"><source>Manifest</source><name>Bundle-Name</name><value>jackson-databind</value></evidence><evidence type="product" confidence="LOW"><source>Manifest</source><name>require-capability</name><value>osgi.ee;filter:=&quot;(&amp;(osgi.ee=JavaSE)(version=1.7))&quot;</value></evidence><evidence type="product" confidence="MEDIUM"><source>Manifest</source><name>automatic-module-name</name><value>com.fasterxml.jackson.databind</value></evidence><evidence type="product" confidence="MEDIUM"><source>Manifest</source><name>bundle-symbolicname</name><value>com.fasterxml.jackson.core.jackson-databind</value></evidence><evidence type="product" confidence="MEDIUM"><source>pom</source><name>parent-artifactid</name><value>jackson-base</value></evidence><evidence type="version" confidence="HIGH"><source>Manifest</source><name>Implementation-Version</name><value>2.9.7</value></evidence><evidence type="version" confidence="HIGH"><source>Manifest</source><name>Bundle-Version</name><value>2.9.7</value></evidence><evidence type="version" confidence="HIGHEST"><source>pom</source><name>version</name><value>2.9.7</value></evidence><evidence type="version" confidence="HIGHEST"><source>file</source><name>version</name><value>2.9.7</value></evidence></evidenceCollected><identifiers><package confidence="HIGH"><id>pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.7</id><url>https://ossindex.sonatype.org/component/pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.7</url></package><vulnerabilityIds confidence="HIGH"><id>pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.7</id><url>https://ossindex.sonatype.org/component/pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.7</url></vulnerabilityIds></identifiers><vulnerabilities><vulnerability source="NVD"><name>CVE-2018-1000873</name><severity>MEDIUM</severity><cvssV2><score>4.3</score><accessVector>NETWORK</accessVector><accessComplexity>MEDIUM</accessComplexity><authenticationr>NONE</authenticationr><confidentialImpact>NONE</confidentialImpact><integrityImpact>NONE</integrityImpact><availabilityImpact>PARTIAL</availabilityImpact><severity>MEDIUM</severity></cvssV2><cvssV3><baseScore>6.5</baseScore><attackVector>NETWORK</attackVector><attackComplexity>LOW</attackComplexity><privilegesRequired>NONE</privilegesRequired><userInteraction>REQUIRED</userInteraction><scope>UNCHANGED</scope><confidentialityImpact>NONE</confidentialityImpact><integrityImpact>NONE</integrityImpact><availabilityImpact>HIGH</availabilityImpact><baseSeverity>MEDIUM</baseSeverity></cvssV3><cwes><cwe>CWE-20</cwe></cwes><description>Fasterxml Jackson version Before 2.9.8 contains a CWE-20: Improper Input Validation vulnerability in Jackson-Modules-Java8 that can result in Causes a denial-of-service (DoS). This attack appear to be exploitable via The victim deserializes malicious input, specifically very large values in the nanoseconds field of a time value. This vulnerability appears to have been fixed in 2.9.8.</description><references><reference><source>MLIST</source><url>https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E</url><name>[drill-issues] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities</name></reference><reference><source>MLIST</source><url>https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E</url><name>[drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities</name></reference><reference><source>MISC</source><url>https://github.com/FasterXML/jackson-modules-java8/issues/90</url><name>https://github.com/FasterXML/jackson-modules-java8/issues/90</name></reference><reference><source>MLIST</source><url>https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3@%3Ccommits.nifi.apache.org%3E</url><name>[nifi-commits] 20191113 svn commit: r1869773 - /nifi/site/trunk/security.html</name></reference><reference><source>MLIST</source><url>https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E</url><name>[drill-dev] 20191017 Dependencies used by Drill contain known vulnerabilities</name></reference><reference><source>MLIST</source><url>https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8@%3Ccommits.pulsar.apache.org%3E</url><name>[pulsar-commits] 20190416 [GitHub] [pulsar] one70six opened a new issue #4057: Security Vulnerabilities - Black Duck Scan - Pulsar v.2.3.1</name></reference><reference><source>CONFIRM</source><url>https://bugzilla.redhat.com/show_bug.cgi?id=1665601</url><name>https://bugzilla.redhat.com/show_bug.cgi?id=1665601</name></reference><reference><source>MISC</source><url>https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html</url><name>https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html</name></reference><reference><source>MISC</source><url>https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html</url><name>https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html</name></reference><reference><source>MISC</source><url>https://github.com/FasterXML/jackson-modules-java8/pull/87</url><name>https://github.com/FasterXML/jackson-modules-java8/pull/87</name></reference><reference><source>OSSINDEX</source><url>https://ossindex.sonatype.org/vuln/292c11e9-cf66-4d76-aaf7-b63a091f8891</url><name>[CVE-2018-1000873]  Improper Input Validation</name></reference></references><vulnerableSoftware><software>cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.0:*:*:*:*:*:*:*</software><software vulnerabilityIdMatched="true" versionEndExcluding="2.9.8">cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*</software></vulnerableSoftware></vulnerability><vulnerability source="NVD"><name>CVE-2018-19360</name><severity>CRITICAL</severity><cvssV2><score>7.5</score><accessVector>NETWORK</accessVector><accessComplexity>LOW</accessComplexity><authenticationr>NONE</authenticationr><confidentialImpact>PARTIAL</confidentialImpact><integrityImpact>PARTIAL</integrityImpact><availabilityImpact>PARTIAL</availabilityImpact><severity>HIGH</severity></cvssV2><cvssV3><baseScore>9.8</baseScore><attackVector>NETWORK</attackVector><attackComplexity>LOW</attackComplexity><privilegesRequired>NONE</privilegesRequired><userInteraction>NONE</userInteraction><scope>UNCHANGED</scope><confidentialityImpact>HIGH</confidentialityImpact><integrityImpact>HIGH</integrityImpact><availabilityImpact>HIGH</availabilityImpact><baseSeverity>CRITICAL</baseSeverity></cvssV3><cwes><cwe>CWE-502</cwe></cwes><description>FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the axis2-transport-jms class from polymorphic deserialization.</description><references><reference><source>REDHAT</source><url>https://access.redhat.com/errata/RHSA-2019:3149</url><name>RHSA-2019:3149</name></reference><reference><source>MLIST</source><url>https://lists.debian.org/debian-lts-announce/2019/03/msg00005.html</url><name>[debian-lts-announce] 20190304 [SECURITY] [DLA 1703-1] jackson-databind security update</name></reference><reference><source>MLIST</source><url>https://lists.apache.org/thread.html/c70da3cb6e3f03e0ad8013e38b6959419d866c4a7c80fdd34b73f25c@%3Ccommits.pulsar.apache.org%3E</url><name>[pulsar-commits] 20190329 [GitHub] [pulsar] massakam opened a new pull request #3938: Upgrade third party libraries with security vulnerabilities</name></reference><reference><source>MLIST</source><url>https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E</url><name>[drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities</name></reference><reference><source>MLIST</source><url>https://lists.apache.org/thread.html/37e1ed724a1b0e5d191d98c822c426670bdfde83804567131847d2a3@%3Cdevnull.infra.apache.org%3E</url><name>[infra-devnull] 20190329 [GitHub] [pulsar] massakam opened pull request #3938: Upgrade third party libraries with security vulnerabilities</name></reference><reference><source>BID</source><url>http://www.securityfocus.com/bid/107985</url><name>107985</name></reference><reference><source>REDHAT</source><url>https://access.redhat.com/errata/RHSA-2019:1822</url><name>RHSA-2019:1822</name></reference><reference><source>MISC</source><url>https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html</url><name>https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html</name></reference><reference><source>REDHAT</source><url>https://access.redhat.com/errata/RHSA-2019:1823</url><name>RHSA-2019:1823</name></reference><reference><source>REDHAT</source><url>https://access.redhat.com/errata/RHSA-2019:2858</url><name>RHSA-2019:2858</name></reference><reference><source>CONFIRM</source><url>https://github.com/FasterXML/jackson-databind/issues/2186</url><name>https://github.com/FasterXML/jackson-databind/issues/2186</name></reference><reference><source>REDHAT</source><url>https://access.redhat.com/errata/RHSA-2019:2804</url><name>RHSA-2019:2804</name></reference><reference><source>MISC</source><url>https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html</url><name>https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html</name></reference><reference><source>CONFIRM</source><url>https://github.com/FasterXML/jackson-databind/commit/42912cac4753f3f718ece875e4d486f8264c2f2b</url><name>https://github.com/FasterXML/jackson-databind/commit/42912cac4753f3f718ece875e4d486f8264c2f2b</name></reference><reference><source>CONFIRM</source><url>https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.8</url><name>https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.8</name></reference><reference><source>REDHAT</source><url>https://access.redhat.com/errata/RHSA-2019:1797</url><name>RHSA-2019:1797</name></reference><reference><source>DEBIAN</source><url>https://www.debian.org/security/2019/dsa-4452</url><name>DSA-4452</name></reference><reference><source>MLIST</source><url>https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3@%3Ccommits.nifi.apache.org%3E</url><name>[nifi-commits] 20191113 svn commit: r1869773 - /nifi/site/trunk/security.html</name></reference><reference><source>OSSINDEX</source><url>https://ossindex.sonatype.org/vuln/dc5c85aa-ec0c-42b9-a11b-935184041ee7</url><name>[CVE-2018-19360]  Deserialization of Untrusted Data</name></reference><reference><source>MLIST</source><url>https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8@%3Ccommits.pulsar.apache.org%3E</url><name>[pulsar-commits] 20190416 [GitHub] [pulsar] one70six opened a new issue #4057: Security Vulnerabilities - Black Duck Scan - Pulsar v.2.3.1</name></reference><reference><source>MISC</source><url>https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html</url><name>https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html</name></reference><reference><source>REDHAT</source><url>https://access.redhat.com/errata/RHSA-2019:3140</url><name>RHSA-2019:3140</name></reference><reference><source>REDHAT</source><url>https://access.redhat.com/errata/RHSA-2019:1782</url><name>RHSA-2019:1782</name></reference><reference><source>BUGTRAQ</source><url>https://seclists.org/bugtraq/2019/May/68</url><name>20190527 [SECURITY] [DSA 4452-1] jackson-databind security update</name></reference><reference><source>REDHAT</source><url>https://access.redhat.com/errata/RHSA-2019:0877</url><name>RHSA-2019:0877</name></reference><reference><source>MLIST</source><url>https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E</url><name>[drill-issues] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities</name></reference><reference><source>REDHAT</source><url>https://access.redhat.com/errata/RHBA-2019:0959</url><name>RHBA-2019:0959</name></reference><reference><source>REDHAT</source><url>https://access.redhat.com/errata/RHSA-2019:0782</url><name>RHSA-2019:0782</name></reference><reference><source>CONFIRM</source><url>https://issues.apache.org/jira/browse/TINKERPOP-2121</url><name>https://issues.apache.org/jira/browse/TINKERPOP-2121</name></reference><reference><source>MLIST</source><url>https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E</url><name>[drill-dev] 20191017 Dependencies used by Drill contain known vulnerabilities</name></reference><reference><source>CONFIRM</source><url>https://security.netapp.com/advisory/ntap-20190530-0003/</url><name>https://security.netapp.com/advisory/ntap-20190530-0003/</name></reference><reference><source>REDHAT</source><url>https://access.redhat.com/errata/RHSA-2019:3892</url><name>RHSA-2019:3892</name></reference><reference><source>REDHAT</source><url>https://access.redhat.com/errata/RHSA-2019:3002</url><name>RHSA-2019:3002</name></reference></references><vulnerableSoftware><software vulnerabilityIdMatched="true" versionStartIncluding="2.9.0" versionEndExcluding="2.9.8">cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*</software><software>cpe:2.3:a:oracle:retail_workforce_management_software:1.60.9.0.0:*:*:*:*:*:*:*</software><software>cpe:2.3:a:redhat:openshift_container_platform:3.11:*:*:*:*:*:*:*</software><software>cpe:2.3:a:oracle:primavera_unifier:16.2:*:*:*:*:*:*:*</software><software>cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:18.8:*:*:*:*:*:*:*</software><software versionStartIncluding="2.6.0" versionEndIncluding="2.6.7.2">cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*</software><software>cpe:2.3:a:oracle:webcenter_portal:12.2.1.3.0:*:*:*:*:*:*:*</software><software versionStartIncluding="17.7" versionEndIncluding="17.12">cpe:2.3:a:oracle:primavera_unifier:*:*:*:*:*:*:*:*</software><software>cpe:2.3:a:redhat:jboss_bpm_suite:6.4.11:*:*:*:*:*:*:*</software><software>cpe:2.3:a:oracle:primavera_unifier:16.1:*:*:*:*:*:*:*</software><software>cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:16.1:*:*:*:*:*:*:*</software><software>cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:15.1:*:*:*:*:*:*:*</software><software>cpe:2.3:a:oracle:business_process_management_suite:12.2.1.3.0:*:*:*:*:*:*:*</software><software>cpe:2.3:a:redhat:automation_manager:7.3.1:*:*:*:*:*:*:*</software><software versionStartIncluding="17.7" versionEndIncluding="17.12">cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:*:*:*:*:*:*:*:*</software><software>cpe:2.3:a:oracle:primavera_unifier:18.8:*:*:*:*:*:*:*</software><software>cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:16.2:*:*:*:*:*:*:*</software><software>cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:15.2:*:*:*:*:*:*:*</software><software>cpe:2.3:a:oracle:business_process_management_suite:12.1.3.0.0:*:*:*:*:*:*:*</software><software>cpe:2.3:a:redhat:decision_manager:7.3.1:*:*:*:*:*:*:*</software><software versionStartIncluding="2.7.0" versionEndExcluding="2.7.9.5">cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*</software><software>cpe:2.3:a:redhat:jboss_brms:6.4.10:*:*:*:*:*:*:*</software><software versionStartIncluding="2.8.0" versionEndExcluding="2.8.11.3">cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*</software></vulnerableSoftware></vulnerability><vulnerability source="NVD"><name>CVE-2018-19361</name><severity>CRITICAL</severity><cvssV2><score>7.5</score><accessVector>NETWORK</accessVector><accessComplexity>LOW</accessComplexity><authenticationr>NONE</authenticationr><confidentialImpact>PARTIAL</confidentialImpact><integrityImpact>PARTIAL</integrityImpact><availabilityImpact>PARTIAL</availabilityImpact><severity>HIGH</severity></cvssV2><cvssV3><baseScore>9.8</baseScore><attackVector>NETWORK</attackVector><attackComplexity>LOW</attackComplexity><privilegesRequired>NONE</privilegesRequired><userInteraction>NONE</userInteraction><scope>UNCHANGED</scope><confidentialityImpact>HIGH</confidentialityImpact><integrityImpact>HIGH</integrityImpact><availabilityImpact>HIGH</availabilityImpact><baseSeverity>CRITICAL</baseSeverity></cvssV3><cwes><cwe>CWE-502</cwe></cwes><description>FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the openjpa class from polymorphic deserialization.</description><references><reference><source>REDHAT</source><url>https://access.redhat.com/errata/RHSA-2019:3149</url><name>RHSA-2019:3149</name></reference><reference><source>MLIST</source><url>https://lists.debian.org/debian-lts-announce/2019/03/msg00005.html</url><name>[debian-lts-announce] 20190304 [SECURITY] [DLA 1703-1] jackson-databind security update</name></reference><reference><source>MLIST</source><url>https://lists.apache.org/thread.html/c70da3cb6e3f03e0ad8013e38b6959419d866c4a7c80fdd34b73f25c@%3Ccommits.pulsar.apache.org%3E</url><name>[pulsar-commits] 20190329 [GitHub] [pulsar] massakam opened a new pull request #3938: Upgrade third party libraries with security vulnerabilities</name></reference><reference><source>MLIST</source><url>https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E</url><name>[drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities</name></reference><reference><source>OSSINDEX</source><url>https://ossindex.sonatype.org/vuln/5a041483-5b69-47f8-b8a9-e631830ceaf9</url><name>[CVE-2018-19361]  Deserialization of Untrusted Data</name></reference><reference><source>MLIST</source><url>https://lists.apache.org/thread.html/37e1ed724a1b0e5d191d98c822c426670bdfde83804567131847d2a3@%3Cdevnull.infra.apache.org%3E</url><name>[infra-devnull] 20190329 [GitHub] [pulsar] massakam opened pull request #3938: Upgrade third party libraries with security vulnerabilities</name></reference><reference><source>BID</source><url>http://www.securityfocus.com/bid/107985</url><name>107985</name></reference><reference><source>REDHAT</source><url>https://access.redhat.com/errata/RHSA-2019:1822</url><name>RHSA-2019:1822</name></reference><reference><source>MISC</source><url>https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html</url><name>https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html</name></reference><reference><source>REDHAT</source><url>https://access.redhat.com/errata/RHSA-2019:1823</url><name>RHSA-2019:1823</name></reference><reference><source>REDHAT</source><url>https://access.redhat.com/errata/RHSA-2019:2858</url><name>RHSA-2019:2858</name></reference><reference><source>CONFIRM</source><url>https://github.com/FasterXML/jackson-databind/issues/2186</url><name>https://github.com/FasterXML/jackson-databind/issues/2186</name></reference><reference><source>REDHAT</source><url>https://access.redhat.com/errata/RHSA-2019:2804</url><name>RHSA-2019:2804</name></reference><reference><source>MISC</source><url>https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html</url><name>https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html</name></reference><reference><source>CONFIRM</source><url>https://github.com/FasterXML/jackson-databind/commit/42912cac4753f3f718ece875e4d486f8264c2f2b</url><name>https://github.com/FasterXML/jackson-databind/commit/42912cac4753f3f718ece875e4d486f8264c2f2b</name></reference><reference><source>CONFIRM</source><url>https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.8</url><name>https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.8</name></reference><reference><source>REDHAT</source><url>https://access.redhat.com/errata/RHSA-2019:1797</url><name>RHSA-2019:1797</name></reference><reference><source>DEBIAN</source><url>https://www.debian.org/security/2019/dsa-4452</url><name>DSA-4452</name></reference><reference><source>MLIST</source><url>https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3@%3Ccommits.nifi.apache.org%3E</url><name>[nifi-commits] 20191113 svn commit: r1869773 - /nifi/site/trunk/security.html</name></reference><reference><source>MLIST</source><url>https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8@%3Ccommits.pulsar.apache.org%3E</url><name>[pulsar-commits] 20190416 [GitHub] [pulsar] one70six opened a new issue #4057: Security Vulnerabilities - Black Duck Scan - Pulsar v.2.3.1</name></reference><reference><source>MISC</source><url>https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html</url><name>https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html</name></reference><reference><source>REDHAT</source><url>https://access.redhat.com/errata/RHSA-2019:3140</url><name>RHSA-2019:3140</name></reference><reference><source>REDHAT</source><url>https://access.redhat.com/errata/RHSA-2019:1782</url><name>RHSA-2019:1782</name></reference><reference><source>BUGTRAQ</source><url>https://seclists.org/bugtraq/2019/May/68</url><name>20190527 [SECURITY] [DSA 4452-1] jackson-databind security update</name></reference><reference><source>REDHAT</source><url>https://access.redhat.com/errata/RHSA-2019:0877</url><name>RHSA-2019:0877</name></reference><reference><source>MLIST</source><url>https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E</url><name>[drill-issues] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities</name></reference><reference><source>REDHAT</source><url>https://access.redhat.com/errata/RHBA-2019:0959</url><name>RHBA-2019:0959</name></reference><reference><source>REDHAT</source><url>https://access.redhat.com/errata/RHSA-2019:0782</url><name>RHSA-2019:0782</name></reference><reference><source>CONFIRM</source><url>https://issues.apache.org/jira/browse/TINKERPOP-2121</url><name>https://issues.apache.org/jira/browse/TINKERPOP-2121</name></reference><reference><source>MLIST</source><url>https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E</url><name>[drill-dev] 20191017 Dependencies used by Drill contain known vulnerabilities</name></reference><reference><source>CONFIRM</source><url>https://security.netapp.com/advisory/ntap-20190530-0003/</url><name>https://security.netapp.com/advisory/ntap-20190530-0003/</name></reference><reference><source>REDHAT</source><url>https://access.redhat.com/errata/RHSA-2019:3892</url><name>RHSA-2019:3892</name></reference><reference><source>REDHAT</source><url>https://access.redhat.com/errata/RHSA-2019:3002</url><name>RHSA-2019:3002</name></reference></references><vulnerableSoftware><software vulnerabilityIdMatched="true" versionStartIncluding="2.9.0" versionEndExcluding="2.9.8">cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*</software><software>cpe:2.3:a:oracle:retail_workforce_management_software:1.60.9.0.0:*:*:*:*:*:*:*</software><software>cpe:2.3:a:redhat:openshift_container_platform:3.11:*:*:*:*:*:*:*</software><software>cpe:2.3:a:oracle:primavera_unifier:16.2:*:*:*:*:*:*:*</software><software>cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:18.8:*:*:*:*:*:*:*</software><software versionStartIncluding="2.6.0" versionEndIncluding="2.6.7.2">cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*</software><software>cpe:2.3:a:oracle:webcenter_portal:12.2.1.3.0:*:*:*:*:*:*:*</software><software versionStartIncluding="17.7" versionEndIncluding="17.12">cpe:2.3:a:oracle:primavera_unifier:*:*:*:*:*:*:*:*</software><software>cpe:2.3:a:redhat:jboss_bpm_suite:6.4.11:*:*:*:*:*:*:*</software><software>cpe:2.3:a:oracle:primavera_unifier:16.1:*:*:*:*:*:*:*</software><software>cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:16.1:*:*:*:*:*:*:*</software><software>cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:15.1:*:*:*:*:*:*:*</software><software>cpe:2.3:a:oracle:business_process_management_suite:12.2.1.3.0:*:*:*:*:*:*:*</software><software>cpe:2.3:a:redhat:automation_manager:7.3.1:*:*:*:*:*:*:*</software><software versionStartIncluding="17.7" versionEndIncluding="17.12">cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:*:*:*:*:*:*:*:*</software><software>cpe:2.3:a:oracle:primavera_unifier:18.8:*:*:*:*:*:*:*</software><software>cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:16.2:*:*:*:*:*:*:*</software><software>cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:15.2:*:*:*:*:*:*:*</software><software>cpe:2.3:a:oracle:business_process_management_suite:12.1.3.0.0:*:*:*:*:*:*:*</software><software>cpe:2.3:a:redhat:decision_manager:7.3.1:*:*:*:*:*:*:*</software><software versionStartIncluding="2.7.0" versionEndExcluding="2.7.9.5">cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*</software><software>cpe:2.3:a:redhat:jboss_brms:6.4.10:*:*:*:*:*:*:*</software><software versionStartIncluding="2.8.0" versionEndExcluding="2.8.11.3">cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*</software></vulnerableSoftware></vulnerability><vulnerability source="NVD"><name>CVE-2018-19362</name><severity>CRITICAL</severity><cvssV2><score>7.5</score><accessVector>NETWORK</accessVector><accessComplexity>LOW</accessComplexity><authenticationr>NONE</authenticationr><confidentialImpact>PARTIAL</confidentialImpact><integrityImpact>PARTIAL</integrityImpact><availabilityImpact>PARTIAL</availabilityImpact><severity>HIGH</severity></cvssV2><cvssV3><baseScore>9.8</baseScore><attackVector>NETWORK</attackVector><attackComplexity>LOW</attackComplexity><privilegesRequired>NONE</privilegesRequired><userInteraction>NONE</userInteraction><scope>UNCHANGED</scope><confidentialityImpact>HIGH</confidentialityImpact><integrityImpact>HIGH</integrityImpact><availabilityImpact>HIGH</availabilityImpact><baseSeverity>CRITICAL</baseSeverity></cvssV3><cwes><cwe>CWE-502</cwe></cwes><description>FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the jboss-common-core class from polymorphic deserialization.</description><references><reference><source>REDHAT</source><url>https://access.redhat.com/errata/RHSA-2019:3149</url><name>RHSA-2019:3149</name></reference><reference><source>MLIST</source><url>https://lists.debian.org/debian-lts-announce/2019/03/msg00005.html</url><name>[debian-lts-announce] 20190304 [SECURITY] [DLA 1703-1] jackson-databind security update</name></reference><reference><source>MLIST</source><url>https://lists.apache.org/thread.html/c70da3cb6e3f03e0ad8013e38b6959419d866c4a7c80fdd34b73f25c@%3Ccommits.pulsar.apache.org%3E</url><name>[pulsar-commits] 20190329 [GitHub] [pulsar] massakam opened a new pull request #3938: Upgrade third party libraries with security vulnerabilities</name></reference><reference><source>MLIST</source><url>https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E</url><name>[drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities</name></reference><reference><source>MLIST</source><url>https://lists.apache.org/thread.html/37e1ed724a1b0e5d191d98c822c426670bdfde83804567131847d2a3@%3Cdevnull.infra.apache.org%3E</url><name>[infra-devnull] 20190329 [GitHub] [pulsar] massakam opened pull request #3938: Upgrade third party libraries with security vulnerabilities</name></reference><reference><source>BID</source><url>http://www.securityfocus.com/bid/107985</url><name>107985</name></reference><reference><source>REDHAT</source><url>https://access.redhat.com/errata/RHSA-2019:1822</url><name>RHSA-2019:1822</name></reference><reference><source>MISC</source><url>https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html</url><name>https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html</name></reference><reference><source>REDHAT</source><url>https://access.redhat.com/errata/RHSA-2019:1823</url><name>RHSA-2019:1823</name></reference><reference><source>REDHAT</source><url>https://access.redhat.com/errata/RHSA-2019:2858</url><name>RHSA-2019:2858</name></reference><reference><source>CONFIRM</source><url>https://github.com/FasterXML/jackson-databind/issues/2186</url><name>https://github.com/FasterXML/jackson-databind/issues/2186</name></reference><reference><source>REDHAT</source><url>https://access.redhat.com/errata/RHSA-2019:2804</url><name>RHSA-2019:2804</name></reference><reference><source>MISC</source><url>https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html</url><name>https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html</name></reference><reference><source>CONFIRM</source><url>https://github.com/FasterXML/jackson-databind/commit/42912cac4753f3f718ece875e4d486f8264c2f2b</url><name>https://github.com/FasterXML/jackson-databind/commit/42912cac4753f3f718ece875e4d486f8264c2f2b</name></reference><reference><source>CONFIRM</source><url>https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.8</url><name>https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.8</name></reference><reference><source>REDHAT</source><url>https://access.redhat.com/errata/RHSA-2019:1797</url><name>RHSA-2019:1797</name></reference><reference><source>DEBIAN</source><url>https://www.debian.org/security/2019/dsa-4452</url><name>DSA-4452</name></reference><reference><source>MLIST</source><url>https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3@%3Ccommits.nifi.apache.org%3E</url><name>[nifi-commits] 20191113 svn commit: r1869773 - /nifi/site/trunk/security.html</name></reference><reference><source>MLIST</source><url>https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8@%3Ccommits.pulsar.apache.org%3E</url><name>[pulsar-commits] 20190416 [GitHub] [pulsar] one70six opened a new issue #4057: Security Vulnerabilities - Black Duck Scan - Pulsar v.2.3.1</name></reference><reference><source>MISC</source><url>https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html</url><name>https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html</name></reference><reference><source>REDHAT</source><url>https://access.redhat.com/errata/RHSA-2019:3140</url><name>RHSA-2019:3140</name></reference><reference><source>REDHAT</source><url>https://access.redhat.com/errata/RHSA-2019:1782</url><name>RHSA-2019:1782</name></reference><reference><source>BUGTRAQ</source><url>https://seclists.org/bugtraq/2019/May/68</url><name>20190527 [SECURITY] [DSA 4452-1] jackson-databind security update</name></reference><reference><source>REDHAT</source><url>https://access.redhat.com/errata/RHSA-2019:0877</url><name>RHSA-2019:0877</name></reference><reference><source>MLIST</source><url>https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E</url><name>[drill-issues] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities</name></reference><reference><source>REDHAT</source><url>https://access.redhat.com/errata/RHBA-2019:0959</url><name>RHBA-2019:0959</name></reference><reference><source>REDHAT</source><url>https://access.redhat.com/errata/RHSA-2019:0782</url><name>RHSA-2019:0782</name></reference><reference><source>CONFIRM</source><url>https://issues.apache.org/jira/browse/TINKERPOP-2121</url><name>https://issues.apache.org/jira/browse/TINKERPOP-2121</name></reference><reference><source>MLIST</source><url>https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E</url><name>[drill-dev] 20191017 Dependencies used by Drill contain known vulnerabilities</name></reference><reference><source>OSSINDEX</source><url>https://ossindex.sonatype.org/vuln/5afe3c10-61cc-4ca0-99ae-c6ba8f330b45</url><name>[CVE-2018-19362]  Deserialization of Untrusted Data</name></reference><reference><source>CONFIRM</source><url>https://security.netapp.com/advisory/ntap-20190530-0003/</url><name>https://security.netapp.com/advisory/ntap-20190530-0003/</name></reference><reference><source>REDHAT</source><url>https://access.redhat.com/errata/RHSA-2019:3892</url><name>RHSA-2019:3892</name></reference><reference><source>REDHAT</source><url>https://access.redhat.com/errata/RHSA-2019:3002</url><name>RHSA-2019:3002</name></reference></references><vulnerableSoftware><software vulnerabilityIdMatched="true" versionStartIncluding="2.9.0" versionEndExcluding="2.9.8">cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*</software><software>cpe:2.3:a:oracle:retail_workforce_management_software:1.60.9.0.0:*:*:*:*:*:*:*</software><software>cpe:2.3:a:redhat:openshift_container_platform:3.11:*:*:*:*:*:*:*</software><software>cpe:2.3:a:oracle:primavera_unifier:16.2:*:*:*:*:*:*:*</software><software>cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:18.8:*:*:*:*:*:*:*</software><software versionStartIncluding="2.6.0" versionEndIncluding="2.6.7.2">cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*</software><software>cpe:2.3:a:oracle:webcenter_portal:12.2.1.3.0:*:*:*:*:*:*:*</software><software versionStartIncluding="17.7" versionEndIncluding="17.12">cpe:2.3:a:oracle:primavera_unifier:*:*:*:*:*:*:*:*</software><software>cpe:2.3:a:redhat:jboss_bpm_suite:6.4.11:*:*:*:*:*:*:*</software><software>cpe:2.3:a:oracle:primavera_unifier:16.1:*:*:*:*:*:*:*</software><software>cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:16.1:*:*:*:*:*:*:*</software><software>cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:15.1:*:*:*:*:*:*:*</software><software>cpe:2.3:a:oracle:business_process_management_suite:12.2.1.3.0:*:*:*:*:*:*:*</software><software>cpe:2.3:a:redhat:automation_manager:7.3.1:*:*:*:*:*:*:*</software><software versionStartIncluding="17.7" versionEndIncluding="17.12">cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:*:*:*:*:*:*:*:*</software><software>cpe:2.3:a:oracle:primavera_unifier:18.8:*:*:*:*:*:*:*</software><software>cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:16.2:*:*:*:*:*:*:*</software><software>cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:15.2:*:*:*:*:*:*:*</software><software>cpe:2.3:a:oracle:business_process_management_suite:12.1.3.0.0:*:*:*:*:*:*:*</software><software>cpe:2.3:a:redhat:decision_manager:7.3.1:*:*:*:*:*:*:*</software><software versionStartIncluding="2.7.0" versionEndExcluding="2.7.9.5">cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*</software><software>cpe:2.3:a:redhat:jboss_brms:6.4.10:*:*:*:*:*:*:*</software><software versionStartIncluding="2.8.0" versionEndExcluding="2.8.11.3">cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*</software></vulnerableSoftware></vulnerability><vulnerability source="NVD"><name>CVE-2019-12086</name><severity>HIGH</severity><cvssV2><score>5.0</score><accessVector>NETWORK</accessVector><accessComplexity>LOW</accessComplexity><authenticationr>NONE</authenticationr><confidentialImpact>PARTIAL</confidentialImpact><integrityImpact>PARTIAL</integrityImpact><availabilityImpact>NONE</availabilityImpact><severity>MEDIUM</severity></cvssV2><cvssV3><baseScore>7.5</baseScore><attackVector>NETWORK</attackVector><attackComplexity>LOW</attackComplexity><privilegesRequired>NONE</privilegesRequired><userInteraction>NONE</userInteraction><scope>UNCHANGED</scope><confidentialityImpact>HIGH</confidentialityImpact><integrityImpact>NONE</integrityImpact><availabilityImpact>NONE</availabilityImpact><baseSeverity>HIGH</baseSeverity></cvssV3><cwes><cwe>CWE-200</cwe></cwes><description>A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint, the service has the mysql-connector-java jar (8.0.14 or earlier) in the classpath, and an attacker can host a crafted MySQL server reachable by the victim, an attacker can send a crafted JSON message that allows them to read arbitrary local files on the server. This occurs because of missing com.mysql.cj.jdbc.admin.MiniAdmin validation.</description><references><reference><source>REDHAT</source><url>https://access.redhat.com/errata/RHSA-2019:3149</url><name>RHSA-2019:3149</name></reference><reference><source>MLIST</source><url>https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E</url><name>[drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities</name></reference><reference><source>MISC</source><url>https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html</url><name>https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html</name></reference><reference><source>REDHAT</source><url>https://access.redhat.com/errata/RHSA-2019:2858</url><name>RHSA-2019:2858</name></reference><reference><source>REDHAT</source><url>https://access.redhat.com/errata/RHSA-2019:2935</url><name>RHSA-2019:2935</name></reference><reference><source>REDHAT</source><url>https://access.redhat.com/errata/RHSA-2019:2936</url><name>RHSA-2019:2936</name></reference><reference><source>MLIST</source><url>https://lists.debian.org/debian-lts-announce/2019/05/msg00030.html</url><name>[debian-lts-announce] 20190521 [SECURITY] [DLA 1798-1] jackson-databind security update</name></reference><reference><source>FEDORA</source><url>https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TXRVXNRFHJSQWFHPRJQRI5UPMZ63B544/</url><name>FEDORA-2019-fb23eccc03</name></reference><reference><source>REDHAT</source><url>https://access.redhat.com/errata/RHSA-2019:2937</url><name>RHSA-2019:2937</name></reference><reference><source>REDHAT</source><url>https://access.redhat.com/errata/RHSA-2019:3050</url><name>RHSA-2019:3050</name></reference><reference><source>CONFIRM</source><url>https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.9</url><name>https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.9</name></reference><reference><source>DEBIAN</source><url>https://www.debian.org/security/2019/dsa-4452</url><name>DSA-4452</name></reference><reference><source>REDHAT</source><url>https://access.redhat.com/errata/RHSA-2019:2938</url><name>RHSA-2019:2938</name></reference><reference><source>MLIST</source><url>https://lists.apache.org/thread.html/3f99ae8dcdbd69438cb733d745ee3ad5e852068490719a66509b4592@%3Ccommits.cassandra.apache.org%3E</url><name>[cassandra-commits] 20190919 [jira] [Created] (CASSANDRA-15328) Bump jackson version to &gt;= 2.9.9.3 to address security vulnerabilities</name></reference><reference><source>FEDORA</source><url>https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OVRZDN2T6AZ6DJCZJ3VSIQIVHBVMVWBL/</url><name>FEDORA-2019-ae6a703b8f</name></reference><reference><source>MISC</source><url>https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062</url><name>https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062</name></reference><reference><source>MLIST</source><url>https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3@%3Ccommits.nifi.apache.org%3E</url><name>[nifi-commits] 20191113 svn commit: r1869773 - /nifi/site/trunk/security.html</name></reference><reference><source>REDHAT</source><url>https://access.redhat.com/errata/RHSA-2019:2998</url><name>RHSA-2019:2998</name></reference><reference><source>MISC</source><url>https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html</url><name>https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html</name></reference><reference><source>BUGTRAQ</source><url>https://seclists.org/bugtraq/2019/May/68</url><name>20190527 [SECURITY] [DSA 4452-1] jackson-databind security update</name></reference><reference><source>MISC</source><url>https://github.com/FasterXML/jackson-databind/issues/2326</url><name>https://github.com/FasterXML/jackson-databind/issues/2326</name></reference><reference><source>FEDORA</source><url>https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UKUALE2TUCKEKOHE2D342PQXN4MWCSLC/</url><name>FEDORA-2019-99ff6aa32c</name></reference><reference><source>MLIST</source><url>https://lists.apache.org/thread.html/88cd25375805950ae7337e669b0cb0eeda98b9604c1b8d806dccbad2@%3Creviews.spark.apache.org%3E</url><name>[spark-reviews] 20190520 [GitHub] [spark] Fokko opened a new pull request #24646: Spark 27757</name></reference><reference><source>MLIST</source><url>https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E</url><name>[drill-issues] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities</name></reference><reference><source>REDHAT</source><url>https://access.redhat.com/errata/RHSA-2019:3200</url><name>RHSA-2019:3200</name></reference><reference><source>REDHAT</source><url>https://access.redhat.com/errata/RHSA-2019:3045</url><name>RHSA-2019:3045</name></reference><reference><source>OSSINDEX</source><url>https://ossindex.sonatype.org/vuln/5bbadb96-496f-4534-a513-7a6396f54029</url><name>[CVE-2019-12086]  Information Exposure</name></reference><reference><source>MLIST</source><url>https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E</url><name>[drill-dev] 20191017 Dependencies used by Drill contain known vulnerabilities</name></reference><reference><source>REDHAT</source><url>https://access.redhat.com/errata/RHSA-2019:3044</url><name>RHSA-2019:3044</name></reference><reference><source>CONFIRM</source><url>https://security.netapp.com/advisory/ntap-20190530-0003/</url><name>https://security.netapp.com/advisory/ntap-20190530-0003/</name></reference><reference><source>MISC</source><url>http://russiansecurity.expert/2016/04/20/mysql-connect-file-read/</url><name>http://russiansecurity.expert/2016/04/20/mysql-connect-file-read/</name></reference><reference><source>BID</source><url>http://www.securityfocus.com/bid/109227</url><name>109227</name></reference><reference><source>REDHAT</source><url>https://access.redhat.com/errata/RHSA-2019:3046</url><name>RHSA-2019:3046</name></reference></references><vulnerableSoftware><software vulnerabilityIdMatched="true" versionStartIncluding="2.9.0" versionEndExcluding="2.9.9">cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*</software><software versionStartIncluding="2.8.0" versionEndIncluding="2.8.11.3">cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*</software><software versionStartIncluding="2.7.0" versionEndIncluding="2.7.9.5">cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*</software></vulnerableSoftware></vulnerability><vulnerability source="NVD"><name>CVE-2019-12384</name><severity>MEDIUM</severity><cvssV2><score>4.3</score><accessVector>NETWORK</accessVector><accessComplexity>MEDIUM</accessComplexity><authenticationr>NONE</authenticationr><confidentialImpact>PARTIAL</confidentialImpact><integrityImpact>PARTIAL</integrityImpact><availabilityImpact>NONE</availabilityImpact><severity>MEDIUM</severity></cvssV2><cvssV3><baseScore>5.9</baseScore><attackVector>NETWORK</attackVector><attackComplexity>HIGH</attackComplexity><privilegesRequired>NONE</privilegesRequired><userInteraction>NONE</userInteraction><scope>UNCHANGED</scope><confidentialityImpact>HIGH</confidentialityImpact><integrityImpact>NONE</integrityImpact><availabilityImpact>NONE</availabilityImpact><baseSeverity>MEDIUM</baseSeverity></cvssV3><cwes><cwe>CWE-502</cwe></cwes><description>FasterXML jackson-databind 2.x before 2.9.9.1 might allow attackers to have a variety of impacts by leveraging failure to block the logback-core class from polymorphic deserialization. Depending on the classpath content, remote code execution may be possible.</description><references><reference><source>REDHAT</source><url>https://access.redhat.com/errata/RHSA-2019:3149</url><name>RHSA-2019:3149</name></reference><reference><source>MLIST</source><url>https://lists.apache.org/thread.html/940b4c3fef002461b89a050935337056d4a036a65ef68e0bbd4621ef@%3Cdev.struts.apache.org%3E</url><name>[struts-dev] 20190908 Build failed in Jenkins: Struts-master-JDK8-dependency-check #204</name></reference><reference><source>REDHAT</source><url>https://access.redhat.com/errata/RHSA-2019:1820</url><name>RHSA-2019:1820</name></reference><reference><source>MLIST</source><url>https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E</url><name>[drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities</name></reference><reference><source>REDHAT</source><url>https://access.redhat.com/errata/RHSA-2019:3901</url><name>RHSA-2019:3901</name></reference><reference><source>MLIST</source><url>https://lists.apache.org/thread.html/34717424b4d08b74f65c09a083d6dd1cb0763f37a15d6de135998c1d@%3Cdev.tomee.apache.org%3E</url><name>[tomee-dev] 20190905 [GitHub] [tomee] rzo1 opened a new pull request #549: [TOMEE-2655] [7.1.x] Updates jackson-databind to 2.9.9.3 to mitigate CVE-2019-12384, CVE-2019-12814, CVE-2019-14379 and CVE-2019-14439</name></reference><reference><source>MISC</source><url>https://github.com/FasterXML/jackson-databind/compare/74b90a4...a977aad</url><name>https://github.com/FasterXML/jackson-databind/compare/74b90a4...a977aad</name></reference><reference><source>REDHAT</source><url>https://access.redhat.com/errata/RHSA-2019:2858</url><name>RHSA-2019:2858</name></reference><reference><source>REDHAT</source><url>https://access.redhat.com/errata/RHSA-2019:2935</url><name>RHSA-2019:2935</name></reference><reference><source>MLIST</source><url>https://lists.apache.org/thread.html/5ecc333113b139429f4f05000d4aa2886974d4df3269c1dd990bb319@%3Cdev.tomee.apache.org%3E</url><name>[tomee-dev] 20190906 [GitHub] [tomee] rzo1 commented on issue #549: [TOMEE-2655] [7.1.x] Updates jackson-databind to 2.9.9.3 to mitigate CVE-2019-12384, CVE-2019-12814, CVE-2019-14379 and CVE-2019-14439</name></reference><reference><source>MLIST</source><url>https://lists.apache.org/thread.html/e0733058c0366b703e6757d8d2a7a04b943581f659e9c271f0841dfe@%3Cnotifications.geode.apache.org%3E</url><name>[geode-notifications] 20191007 [GitHub] [geode] jmelchio commented on issue #4102: Fix for GEODE-7255: Pickup Jackson CVE fix</name></reference><reference><source>REDHAT</source><url>https://access.redhat.com/errata/RHSA-2019:3292</url><name>RHSA-2019:3292</name></reference><reference><source>REDHAT</source><url>https://access.redhat.com/errata/RHSA-2019:2936</url><name>RHSA-2019:2936</name></reference><reference><source>FEDORA</source><url>https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TXRVXNRFHJSQWFHPRJQRI5UPMZ63B544/</url><name>FEDORA-2019-fb23eccc03</name></reference><reference><source>CONFIRM</source><url>https://lists.debian.org/debian-lts-announce/2019/06/msg00019.html</url><name>https://lists.debian.org/debian-lts-announce/2019/06/msg00019.html</name></reference><reference><source>MLIST</source><url>https://lists.apache.org/thread.html/ee0a051428d2c719acfa297d0854a189ea5e284ef3ed491fa672f4be@%3Cdev.tomee.apache.org%3E</url><name>[tomee-dev] 20190905 [GitHub] [tomee] robert-schaft-hon commented on issue #549: [TOMEE-2655] [7.1.x] Updates jackson-databind to 2.9.9.3 to mitigate CVE-2019-12384, CVE-2019-12814, CVE-2019-14379 and CVE-2019-14439</name></reference><reference><source>MLIST</source><url>https://lists.apache.org/thread.html/0d4b630d9ee724aee50703397d9d1afa2b2befc9395ba7797d0ccea9@%3Cdev.tomee.apache.org%3E</url><name>[tomee-dev] 20190905 [GitHub] [tomee] asf-ci commented on issue #549: [TOMEE-2655] [7.1.x] Updates jackson-databind to 2.9.9.3 to mitigate CVE-2019-12384, CVE-2019-12814, CVE-2019-14379 and CVE-2019-14439</name></reference><reference><source>REDHAT</source><url>https://access.redhat.com/errata/RHSA-2019:2937</url><name>RHSA-2019:2937</name></reference><reference><source>REDHAT</source><url>https://access.redhat.com/errata/RHSA-2019:2938</url><name>RHSA-2019:2938</name></reference><reference><source>MLIST</source><url>https://lists.apache.org/thread.html/3f99ae8dcdbd69438cb733d745ee3ad5e852068490719a66509b4592@%3Ccommits.cassandra.apache.org%3E</url><name>[cassandra-commits] 20190919 [jira] [Created] (CASSANDRA-15328) Bump jackson version to &gt;= 2.9.9.3 to address security vulnerabilities</name></reference><reference><source>FEDORA</source><url>https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OVRZDN2T6AZ6DJCZJ3VSIQIVHBVMVWBL/</url><name>FEDORA-2019-ae6a703b8f</name></reference><reference><source>MLIST</source><url>https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3@%3Ccommits.nifi.apache.org%3E</url><name>[nifi-commits] 20191113 svn commit: r1869773 - /nifi/site/trunk/security.html</name></reference><reference><source>REDHAT</source><url>https://access.redhat.com/errata/RHSA-2019:2998</url><name>RHSA-2019:2998</name></reference><reference><source>DEBIAN</source><url>https://www.debian.org/security/2019/dsa-4542</url><name>DSA-4542</name></reference><reference><source>MISC</source><url>https://doyensec.com/research.html</url><name>https://doyensec.com/research.html</name></reference><reference><source>OSSINDEX</source><url>https://ossindex.sonatype.org/vuln/33d59f1d-83ff-4527-9707-c3f1507b6125</url><name>[CVE-2019-12384]  Deserialization of Untrusted Data</name></reference><reference><source>REDHAT</source><url>https://access.redhat.com/errata/RHSA-2019:2720</url><name>RHSA-2019:2720</name></reference><reference><source>CONFIRM</source><url>https://security.netapp.com/advisory/ntap-20190703-0002/</url><name>https://security.netapp.com/advisory/ntap-20190703-0002/</name></reference><reference><source>MISC</source><url>https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html</url><name>https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html</name></reference><reference><source>MLIST</source><url>https://lists.apache.org/thread.html/2d2a76440becb610b9a9cb49b15eac3934b02c2dbcaacde1000353e4@%3Cdev.tomee.apache.org%3E</url><name>[tomee-dev] 20190905 [GitHub] [tomee] rzo1 opened a new pull request #548: [TOMEE-2655] Updates jackson-databind to 2.9.9.3 to mitigate CVE-2019-12384, CVE-2019-12814, CVE-2019-14379 and CVE-2019-14439</name></reference><reference><source>MLIST</source><url>https://lists.apache.org/thread.html/87e46591de8925f719664a845572d184027258c5a7af0a471b53c77b@%3Cdev.tomee.apache.org%3E</url><name>[tomee-dev] 20190909 [GitHub] [tomee] jgallimore merged pull request #548: [TOMEE-2655] Updates jackson-databind to 2.9.9.3 to mitigate CVE-2019-12384, CVE-2019-12814, CVE-2019-14379 and CVE-2019-14439</name></reference><reference><source>FEDORA</source><url>https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UKUALE2TUCKEKOHE2D342PQXN4MWCSLC/</url><name>FEDORA-2019-99ff6aa32c</name></reference><reference><source>MISC</source><url>https://blog.doyensec.com/2019/07/22/jackson-gadgets.html</url><name>https://blog.doyensec.com/2019/07/22/jackson-gadgets.html</name></reference><reference><source>MLIST</source><url>https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E</url><name>[drill-issues] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities</name></reference><reference><source>REDHAT</source><url>https://access.redhat.com/errata/RHSA-2019:3200</url><name>RHSA-2019:3200</name></reference><reference><source>MLIST</source><url>https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E</url><name>[drill-dev] 20191017 Dependencies used by Drill contain known vulnerabilities</name></reference><reference><source>MLIST</source><url>https://lists.apache.org/thread.html/5fc0e16b7af2590bf1e97c76c136291c4fdb244ee63c65c485c9a7a1@%3Cdev.tomee.apache.org%3E</url><name>[tomee-dev] 20190909 [GitHub] [tomee] jgallimore merged pull request #549: [TOMEE-2655] [7.1.x] Updates jackson-databind to 2.9.9.3 to mitigate CVE-2019-12384, CVE-2019-12814, CVE-2019-14379 and CVE-2019-14439</name></reference><reference><source>REDHAT</source><url>https://access.redhat.com/errata/RHSA-2019:3297</url><name>RHSA-2019:3297</name></reference><reference><source>BUGTRAQ</source><url>https://seclists.org/bugtraq/2019/Oct/6</url><name>20191007 [SECURITY] [DSA 4542-1] jackson-databind security update</name></reference><reference><source>MLIST</source><url>https://lists.apache.org/thread.html/56c8042873595b8c863054c7bfccab4bf2c01c6f5abedae249d914b9@%3Cdev.tomee.apache.org%3E</url><name>[tomee-dev] 20190905 [GitHub] [tomee] asf-ci commented on issue #548: [TOMEE-2655] Updates jackson-databind to 2.9.9.3 to mitigate CVE-2019-12384, CVE-2019-12814, CVE-2019-14379 and CVE-2019-14439</name></reference></references><vulnerableSoftware><software versionStartIncluding="2.8.0" versionEndIncluding="2.8.11.3">cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*</software><software vulnerabilityIdMatched="true" versionStartIncluding="2.9.0" versionEndExcluding="2.9.9.1">cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*</software><software versionStartIncluding="2.7.0" versionEndIncluding="2.7.9.5">cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*</software></vulnerableSoftware></vulnerability><vulnerability source="NVD"><name>CVE-2019-12814</name><severity>MEDIUM</severity><cvssV2><score>4.3</score><accessVector>NETWORK</accessVector><accessComplexity>MEDIUM</accessComplexity><authenticationr>NONE</authenticationr><confidentialImpact>PARTIAL</confidentialImpact><integrityImpact>PARTIAL</integrityImpact><availabilityImpact>NONE</availabilityImpact><severity>MEDIUM</severity></cvssV2><cvssV3><baseScore>5.9</baseScore><attackVector>NETWORK</attackVector><attackComplexity>HIGH</attackComplexity><privilegesRequired>NONE</privilegesRequired><userInteraction>NONE</userInteraction><scope>UNCHANGED</scope><confidentialityImpact>HIGH</confidentialityImpact><integrityImpact>NONE</integrityImpact><availabilityImpact>NONE</availabilityImpact><baseSeverity>MEDIUM</baseSeverity></cvssV3><cwes><cwe>CWE-200</cwe></cwes><description>A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x through 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has JDOM 1.x or 2.x jar in the classpath, an attacker can send a specifically crafted JSON message that allows them to read arbitrary local files on the server.</description><references><reference><source>MLIST</source><url>https://lists.apache.org/thread.html/940b4c3fef002461b89a050935337056d4a036a65ef68e0bbd4621ef@%3Cdev.struts.apache.org%3E</url><name>[struts-dev] 20190908 Build failed in Jenkins: Struts-master-JDK8-dependency-check #204</name></reference><reference><source>MLIST</source><url>https://lists.apache.org/thread.html/129da0204c876f746636018751a086cc581e0e07bcdeb3ee22ff5731@%3Cdev.zookeeper.apache.org%3E</url><name>[zookeeper-dev] 20190623 [jira] [Created] (ZOOKEEPER-3441) OWASP is flagging jackson-databind-2.9.9.jar for CVE-2019-12814</name></reference><reference><source>MLIST</source><url>https://lists.apache.org/thread.html/b0a2b2cca072650dbd5882719976c3d353972c44f6736ddf0ba95209@%3Cissues.zookeeper.apache.org%3E</url><name>[zookeeper-issues] 20190713 [jira] [Updated] (ZOOKEEPER-3441) OWASP is flagging jackson-databind-2.9.9.jar for CVE-2019-12814</name></reference><reference><source>MLIST</source><url>https://lists.apache.org/thread.html/8fe2983f6d9fee0aa737e4bd24483f8f5cf9b938b9adad0c4e79b2a4@%3Cnotifications.zookeeper.apache.org%3E</url><name>[zookeeper-notifications] 20190624 [GitHub] [zookeeper] eolivelli commented on issue #1001: ZOOKEEPER-3441 OWASP is flagging jackson-databind-2.9.9.jar for CVE-2019-12814</name></reference><reference><source>MLIST</source><url>https://lists.apache.org/thread.html/34717424b4d08b74f65c09a083d6dd1cb0763f37a15d6de135998c1d@%3Cdev.tomee.apache.org%3E</url><name>[tomee-dev] 20190905 [GitHub] [tomee] rzo1 opened a new pull request #549: [TOMEE-2655] [7.1.x] Updates jackson-databind to 2.9.9.3 to mitigate CVE-2019-12384, CVE-2019-12814, CVE-2019-14379 and CVE-2019-14439</name></reference><reference><source>REDHAT</source><url>https://access.redhat.com/errata/RHSA-2019:2858</url><name>RHSA-2019:2858</name></reference><reference><source>REDHAT</source><url>https://access.redhat.com/errata/RHSA-2019:2935</url><name>RHSA-2019:2935</name></reference><reference><source>MLIST</source><url>https://lists.apache.org/thread.html/5ecc333113b139429f4f05000d4aa2886974d4df3269c1dd990bb319@%3Cdev.tomee.apache.org%3E</url><name>[tomee-dev] 20190906 [GitHub] [tomee] rzo1 commented on issue #549: [TOMEE-2655] [7.1.x] Updates jackson-databind to 2.9.9.3 to mitigate CVE-2019-12384, CVE-2019-12814, CVE-2019-14379 and CVE-2019-14439</name></reference><reference><source>FEDORA</source><url>https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TXRVXNRFHJSQWFHPRJQRI5UPMZ63B544/</url><name>FEDORA-2019-fb23eccc03</name></reference><reference><source>MLIST</source><url>https://lists.apache.org/thread.html/0d4b630d9ee724aee50703397d9d1afa2b2befc9395ba7797d0ccea9@%3Cdev.tomee.apache.org%3E</url><name>[tomee-dev] 20190905 [GitHub] [tomee] asf-ci commented on issue #549: [TOMEE-2655] [7.1.x] Updates jackson-databind to 2.9.9.3 to mitigate CVE-2019-12384, CVE-2019-12814, CVE-2019-14379 and CVE-2019-14439</name></reference><reference><source>REDHAT</source><url>https://access.redhat.com/errata/RHSA-2019:2937</url><name>RHSA-2019:2937</name></reference><reference><source>MLIST</source><url>https://lists.apache.org/thread.html/bf20574dbc2db255f1fd489942b5720f675e32a2c4f44eb6a36060cd@%3Ccommits.accumulo.apache.org%3E</url><name>[accumulo-commits] 20190723 [accumulo] branch 2.0 updated: Fix CVE-2019-12814 Use jackson-databind 2.9.9.1</name></reference><reference><source>FEDORA</source><url>https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OVRZDN2T6AZ6DJCZJ3VSIQIVHBVMVWBL/</url><name>FEDORA-2019-ae6a703b8f</name></reference><reference><source>MLIST</source><url>https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3@%3Ccommits.nifi.apache.org%3E</url><name>[nifi-commits] 20191113 svn commit: r1869773 - /nifi/site/trunk/security.html</name></reference><reference><source>MLIST</source><url>https://lists.apache.org/thread.html/87e46591de8925f719664a845572d184027258c5a7af0a471b53c77b@%3Cdev.tomee.apache.org%3E</url><name>[tomee-dev] 20190909 [GitHub] [tomee] jgallimore merged pull request #548: [TOMEE-2655] Updates jackson-databind to 2.9.9.3 to mitigate CVE-2019-12384, CVE-2019-12814, CVE-2019-14379 and CVE-2019-14439</name></reference><reference><source>FEDORA</source><url>https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UKUALE2TUCKEKOHE2D342PQXN4MWCSLC/</url><name>FEDORA-2019-99ff6aa32c</name></reference><reference><source>MLIST</source><url>https://lists.apache.org/thread.html/b148fa2e9ef468c4de00de255dd728b74e2a97d935f8ced31eb41ba2@%3Cnotifications.zookeeper.apache.org%3E</url><name>[zookeeper-notifications] 20190710 [GitHub] [zookeeper] phunt closed pull request #1013: ZOOKEEPER-3441: OWASP is flagging jackson-databind-2.9.9.jar for CVE-2019-12814</name></reference><reference><source>REDHAT</source><url>https://access.redhat.com/errata/RHSA-2019:3200</url><name>RHSA-2019:3200</name></reference><reference><source>MLIST</source><url>https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E</url><name>[drill-dev] 20191017 Dependencies used by Drill contain known vulnerabilities</name></reference><reference><source>MLIST</source><url>https://lists.apache.org/thread.html/a3ae8a8c5e32c413cd27071d3a204166050bf79ce7f1299f6866338f@%3Cissues.zookeeper.apache.org%3E</url><name>[zookeeper-issues] 20190708 [jira] [Commented] (ZOOKEEPER-3441) OWASP is flagging jackson-databind-2.9.9.jar for CVE-2019-12814</name></reference><reference><source>MLIST</source><url>https://lists.apache.org/thread.html/4b832d1327703d6b287a6d223307f8f884d798821209a10647e93324@%3Cnotifications.zookeeper.apache.org%3E</url><name>[zookeeper-notifications] 20190624 [GitHub] [zookeeper] eolivelli closed pull request #1001: ZOOKEEPER-3441 OWASP is flagging jackson-databind-2.9.9.jar for CVE-2019-12814</name></reference><reference><source>MLIST</source><url>https://lists.apache.org/thread.html/a78239b1f11cddfa86e4edee19064c40b6272214630bfef070c37957@%3Cissues.zookeeper.apache.org%3E</url><name>[zookeeper-issues] 20190623 [jira] [Updated] (ZOOKEEPER-3441) OWASP is flagging jackson-databind-2.9.9.jar for CVE-2019-12814</name></reference><reference><source>REDHAT</source><url>https://access.redhat.com/errata/RHSA-2019:3044</url><name>RHSA-2019:3044</name></reference><reference><source>REDHAT</source><url>https://access.redhat.com/errata/RHSA-2019:3297</url><name>RHSA-2019:3297</name></reference><reference><source>REDHAT</source><url>https://access.redhat.com/errata/RHSA-2019:3046</url><name>RHSA-2019:3046</name></reference><reference><source>REDHAT</source><url>https://access.redhat.com/errata/RHSA-2019:3149</url><name>RHSA-2019:3149</name></reference><reference><source>MLIST</source><url>https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E</url><name>[drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities</name></reference><reference><source>CONFIRM</source><url>https://security.netapp.com/advisory/ntap-20190625-0006/</url><name>https://security.netapp.com/advisory/ntap-20190625-0006/</name></reference><reference><source>MLIST</source><url>https://lists.apache.org/thread.html/a62aa2706105d68f1c02023fe24aaa3c13b4d8a1826181fed07d9682@%3Cnotifications.zookeeper.apache.org%3E</url><name>[zookeeper-notifications] 20190624 [GitHub] [zookeeper] phunt commented on a change in pull request #1001: ZOOKEEPER-3441 OWASP is flagging jackson-databind-2.9.9.jar for CVE-2019-12814</name></reference><reference><source>MLIST</source><url>https://lists.apache.org/thread.html/28be28ffd6471d230943a255c36fe196a54ef5afc494a4781d16e37c@%3Cissues.zookeeper.apache.org%3E</url><name>[zookeeper-issues] 20190712 [jira] [Resolved] (ZOOKEEPER-3441) OWASP is flagging jackson-databind-2.9.9.jar for CVE-2019-12814</name></reference><reference><source>MISC</source><url>https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html</url><name>https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html</name></reference><reference><source>MLIST</source><url>https://lists.apache.org/thread.html/eff7280055fc717ea8129cd28a9dd57b8446d00b36260c1caee10b87@%3Cnotifications.zookeeper.apache.org%3E</url><name>[zookeeper-notifications] 20190710 [GitHub] [zookeeper] phunt opened a new pull request #1013: ZOOKEEPER-3441: OWASP is flagging jackson-databind-2.9.9.jar for CVE-2019-12814</name></reference><reference><source>MLIST</source><url>https://lists.debian.org/debian-lts-announce/2019/06/msg00019.html</url><name>[debian-lts-announce] 20190621 [SECURITY] [DLA 1831-1] jackson-databind security update</name></reference><reference><source>MLIST</source><url>https://lists.apache.org/thread.html/e0733058c0366b703e6757d8d2a7a04b943581f659e9c271f0841dfe@%3Cnotifications.geode.apache.org%3E</url><name>[geode-notifications] 20191007 [GitHub] [geode] jmelchio commented on issue #4102: Fix for GEODE-7255: Pickup Jackson CVE fix</name></reference><reference><source>REDHAT</source><url>https://access.redhat.com/errata/RHSA-2019:3292</url><name>RHSA-2019:3292</name></reference><reference><source>REDHAT</source><url>https://access.redhat.com/errata/RHSA-2019:2936</url><name>RHSA-2019:2936</name></reference><reference><source>MLIST</source><url>https://lists.apache.org/thread.html/ee0a051428d2c719acfa297d0854a189ea5e284ef3ed491fa672f4be@%3Cdev.tomee.apache.org%3E</url><name>[tomee-dev] 20190905 [GitHub] [tomee] robert-schaft-hon commented on issue #549: [TOMEE-2655] [7.1.x] Updates jackson-databind to 2.9.9.3 to mitigate CVE-2019-12384, CVE-2019-12814, CVE-2019-14379 and CVE-2019-14439</name></reference><reference><source>REDHAT</source><url>https://access.redhat.com/errata/RHSA-2019:3050</url><name>RHSA-2019:3050</name></reference><reference><source>REDHAT</source><url>https://access.redhat.com/errata/RHSA-2019:2938</url><name>RHSA-2019:2938</name></reference><reference><source>CONFIRM</source><url>https://github.com/FasterXML/jackson-databind/issues/2341</url><name>https://github.com/FasterXML/jackson-databind/issues/2341</name></reference><reference><source>MLIST</source><url>https://lists.apache.org/thread.html/3f99ae8dcdbd69438cb733d745ee3ad5e852068490719a66509b4592@%3Ccommits.cassandra.apache.org%3E</url><name>[cassandra-commits] 20190919 [jira] [Created] (CASSANDRA-15328) Bump jackson version to &gt;= 2.9.9.3 to address security vulnerabilities</name></reference><reference><source>MLIST</source><url>https://lists.apache.org/thread.html/15a55e1d837fa686db493137cc0330c7ee1089ed9a9eea7ae7151ef1@%3Cissues.zookeeper.apache.org%3E</url><name>[zookeeper-issues] 20190623 [jira] [Created] (ZOOKEEPER-3441) OWASP is flagging jackson-databind-2.9.9.jar for CVE-2019-12814</name></reference><reference><source>MLIST</source><url>https://lists.apache.org/thread.html/71f9ffd92410a889e27b95a219eaa843fd820f8550898633d85d4ea3@%3Cissues.zookeeper.apache.org%3E</url><name>[zookeeper-issues] 20190712 [jira] [Assigned] (ZOOKEEPER-3441) OWASP is flagging jackson-databind-2.9.9.jar for CVE-2019-12814</name></reference><reference><source>MLIST</source><url>https://lists.apache.org/thread.html/2ff264b6a94c5363a35c4c88fa93216f60ec54d1d973ed6b76a9f560@%3Cissues.zookeeper.apache.org%3E</url><name>[zookeeper-issues] 20190712 [jira] [Commented] (ZOOKEEPER-3441) OWASP is flagging jackson-databind-2.9.9.jar for CVE-2019-12814</name></reference><reference><source>OSSINDEX</source><url>https://ossindex.sonatype.org/vuln/3e008100-e0d4-45bf-afd2-9d5e9b13efa7</url><name>[CVE-2019-12814]  Information Exposure</name></reference><reference><source>MISC</source><url>https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html</url><name>https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html</name></reference><reference><source>MLIST</source><url>https://lists.apache.org/thread.html/2d2a76440becb610b9a9cb49b15eac3934b02c2dbcaacde1000353e4@%3Cdev.tomee.apache.org%3E</url><name>[tomee-dev] 20190905 [GitHub] [tomee] rzo1 opened a new pull request #548: [TOMEE-2655] Updates jackson-databind to 2.9.9.3 to mitigate CVE-2019-12384, CVE-2019-12814, CVE-2019-14379 and CVE-2019-14439</name></reference><reference><source>MLIST</source><url>https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E</url><name>[drill-issues] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities</name></reference><reference><source>REDHAT</source><url>https://access.redhat.com/errata/RHSA-2019:3045</url><name>RHSA-2019:3045</name></reference><reference><source>MLIST</source><url>https://lists.apache.org/thread.html/5fc0e16b7af2590bf1e97c76c136291c4fdb244ee63c65c485c9a7a1@%3Cdev.tomee.apache.org%3E</url><name>[tomee-dev] 20190909 [GitHub] [tomee] jgallimore merged pull request #549: [TOMEE-2655] [7.1.x] Updates jackson-databind to 2.9.9.3 to mitigate CVE-2019-12384, CVE-2019-12814, CVE-2019-14379 and CVE-2019-14439</name></reference><reference><source>MLIST</source><url>https://lists.apache.org/thread.html/1e04d9381c801b31ab28dec813c31c304b2a596b2a3707fa5462c5c0@%3Cnotifications.zookeeper.apache.org%3E</url><name>[zookeeper-notifications] 20190623 [GitHub] [zookeeper] eolivelli opened a new pull request #1001: ZOOKEEPER-3441 OWASP is flagging jackson-databind-2.9.9.jar for CVE-2019-12814</name></reference><reference><source>MLIST</source><url>https://lists.apache.org/thread.html/56c8042873595b8c863054c7bfccab4bf2c01c6f5abedae249d914b9@%3Cdev.tomee.apache.org%3E</url><name>[tomee-dev] 20190905 [GitHub] [tomee] asf-ci commented on issue #548: [TOMEE-2655] Updates jackson-databind to 2.9.9.3 to mitigate CVE-2019-12384, CVE-2019-12814, CVE-2019-14379 and CVE-2019-14439</name></reference></references><vulnerableSoftware><software versionStartIncluding="2.8.0" versionEndIncluding="2.8.11.3">cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*</software><software vulnerabilityIdMatched="true" versionStartIncluding="2.9.0" versionEndExcluding="2.9.9.1">cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*</software><software versionStartIncluding="2.7.0" versionEndIncluding="2.7.9.5">cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*</software></vulnerableSoftware></vulnerability><vulnerability source="NVD"><name>CVE-2019-14379</name><severity>CRITICAL</severity><cvssV2><score>7.5</score><accessVector>NETWORK</accessVector><accessComplexity>LOW</accessComplexity><authenticationr>NONE</authenticationr><confidentialImpact>PARTIAL</confidentialImpact><integrityImpact>PARTIAL</integrityImpact><availabilityImpact>PARTIAL</availabilityImpact><severity>HIGH</severity></cvssV2><cvssV3><baseScore>9.8</baseScore><attackVector>NETWORK</attackVector><attackComplexity>LOW</attackComplexity><privilegesRequired>NONE</privilegesRequired><userInteraction>NONE</userInteraction><scope>UNCHANGED</scope><confidentialityImpact>HIGH</confidentialityImpact><integrityImpact>HIGH</integrityImpact><availabilityImpact>HIGH</availabilityImpact><baseSeverity>CRITICAL</baseSeverity></cvssV3><cwes><cwe>CWE-20</cwe></cwes><description>SubTypeValidator.java in FasterXML jackson-databind before 2.9.9.2 mishandles default typing when ehcache is used (because of net.sf.ehcache.transaction.manager.DefaultTransactionManagerLookup), leading to remote code execution.</description><references><reference><source>MLIST</source><url>https://lists.apache.org/thread.html/940b4c3fef002461b89a050935337056d4a036a65ef68e0bbd4621ef@%3Cdev.struts.apache.org%3E</url><name>[struts-dev] 20190908 Build failed in Jenkins: Struts-master-JDK8-dependency-check #204</name></reference><reference><source>MLIST</source><url>https://lists.apache.org/thread.html/99944f86abefde389da9b4040ea2327c6aa0b53a2ff9352bd4cfec17@%3Cissues.iceberg.apache.org%3E</url><name>[iceberg-issues] 20191010 [GitHub] [incubator-iceberg] rdblue closed pull request #533: Update Jackson to 2.9.10 for CVE-2019-14379</name></reference><reference><source>MLIST</source><url>https://lists.apache.org/thread.html/f17f63b0f8a57e4a5759e01d25cffc0548f0b61ff5c6bfd704ad2f2a@%3Ccommits.ambari.apache.org%3E</url><name>[ambari-commits] 20190813 [ambari] branch trunk updated: AMBARI-25352 : Upgrade fasterxml jackson dependency due to CVE-2019-14379(trunk) (#3067)</name></reference><reference><source>MLIST</source><url>https://lists.apache.org/thread.html/34717424b4d08b74f65c09a083d6dd1cb0763f37a15d6de135998c1d@%3Cdev.tomee.apache.org%3E</url><name>[tomee-dev] 20190905 [GitHub] [tomee] rzo1 opened a new pull request #549: [TOMEE-2655] [7.1.x] Updates jackson-databind to 2.9.9.3 to mitigate CVE-2019-12384, CVE-2019-12814, CVE-2019-14379 and CVE-2019-14439</name></reference><reference><source>REDHAT</source><url>https://access.redhat.com/errata/RHSA-2019:2858</url><name>RHSA-2019:2858</name></reference><reference><source>REDHAT</source><url>https://access.redhat.com/errata/RHSA-2019:2935</url><name>RHSA-2019:2935</name></reference><reference><source>MLIST</source><url>https://lists.apache.org/thread.html/5ecc333113b139429f4f05000d4aa2886974d4df3269c1dd990bb319@%3Cdev.tomee.apache.org%3E</url><name>[tomee-dev] 20190906 [GitHub] [tomee] rzo1 commented on issue #549: [TOMEE-2655] [7.1.x] Updates jackson-databind to 2.9.9.3 to mitigate CVE-2019-12384, CVE-2019-12814, CVE-2019-14379 and CVE-2019-14439</name></reference><reference><source>FEDORA</source><url>https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TXRVXNRFHJSQWFHPRJQRI5UPMZ63B544/</url><name>FEDORA-2019-fb23eccc03</name></reference><reference><source>MLIST</source><url>https://lists.apache.org/thread.html/0d4b630d9ee724aee50703397d9d1afa2b2befc9395ba7797d0ccea9@%3Cdev.tomee.apache.org%3E</url><name>[tomee-dev] 20190905 [GitHub] [tomee] asf-ci commented on issue #549: [TOMEE-2655] [7.1.x] Updates jackson-databind to 2.9.9.3 to mitigate CVE-2019-12384, CVE-2019-12814, CVE-2019-14379 and CVE-2019-14439</name></reference><reference><source>REDHAT</source><url>https://access.redhat.com/errata/RHSA-2019:2937</url><name>RHSA-2019:2937</name></reference><reference><source>FEDORA</source><url>https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OVRZDN2T6AZ6DJCZJ3VSIQIVHBVMVWBL/</url><name>FEDORA-2019-ae6a703b8f</name></reference><reference><source>OSSINDEX</source><url>https://ossindex.sonatype.org/vuln/e5794172-1257-4372-9baf-7b87307a3cc9</url><name>[CVE-2019-14379] SubTypeValidator.java in FasterXML jackson-databind before 2.9.9.2 mishandles de...</name></reference><reference><source>MLIST</source><url>https://lists.apache.org/thread.html/87e46591de8925f719664a845572d184027258c5a7af0a471b53c77b@%3Cdev.tomee.apache.org%3E</url><name>[tomee-dev] 20190909 [GitHub] [tomee] jgallimore merged pull request #548: [TOMEE-2655] Updates jackson-databind to 2.9.9.3 to mitigate CVE-2019-12384, CVE-2019-12814, CVE-2019-14379 and CVE-2019-14439</name></reference><reference><source>FEDORA</source><url>https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UKUALE2TUCKEKOHE2D342PQXN4MWCSLC/</url><name>FEDORA-2019-99ff6aa32c</name></reference><reference><source>MLIST</source><url>https://lists.apache.org/thread.html/2766188be238a446a250ef76801037d452979152d85bce5e46805815@%3Cissues.iceberg.apache.org%3E</url><name>[iceberg-issues] 20191010 [GitHub] [incubator-iceberg] rdblue commented on issue #535: Update Jackson to 2.9.10 for CVE-2019-14379</name></reference><reference><source>REDHAT</source><url>https://access.redhat.com/errata/RHSA-2019:3200</url><name>RHSA-2019:3200</name></reference><reference><source>MLIST</source><url>https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E</url><name>[drill-dev] 20191017 Dependencies used by Drill contain known vulnerabilities</name></reference><reference><source>REDHAT</source><url>https://access.redhat.com/errata/RHSA-2019:3044</url><name>RHSA-2019:3044</name></reference><reference><source>REDHAT</source><url>https://access.redhat.com/errata/RHSA-2019:3297</url><name>RHSA-2019:3297</name></reference><reference><source>MLIST</source><url>https://lists.apache.org/thread.html/525bcf949a4b0da87a375cbad2680b8beccde749522f24c49befe7fb@%3Ccommits.pulsar.apache.org%3E</url><name>[pulsar-commits] 20190822 [GitHub] [pulsar] massakam opened a new pull request #5011: [security] Upgrade jackson-databind</name></reference><reference><source>REDHAT</source><url>https://access.redhat.com/errata/RHSA-2019:3046</url><name>RHSA-2019:3046</name></reference><reference><source>REDHAT</source><url>https://access.redhat.com/errata/RHSA-2019:3149</url><name>RHSA-2019:3149</name></reference><reference><source>MLIST</source><url>https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E</url><name>[drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities</name></reference><reference><source>CONFIRM</source><url>https://security.netapp.com/advisory/ntap-20190814-0001/</url><name>https://security.netapp.com/advisory/ntap-20190814-0001/</name></reference><reference><source>REDHAT</source><url>https://access.redhat.com/errata/RHSA-2019:3901</url><name>RHSA-2019:3901</name></reference><reference><source>MISC</source><url>https://github.com/FasterXML/jackson-databind/compare/jackson-databind-2.9.9.1...jackson-databind-2.9.9.2</url><name>https://github.com/FasterXML/jackson-databind/compare/jackson-databind-2.9.9.1...jackson-databind-2.9.9.2</name></reference><reference><source>MLIST</source><url>https://lists.debian.org/debian-lts-announce/2019/08/msg00011.html</url><name>[debian-lts-announce] 20190812 [SECURITY] [DLA 1879-1] jackson-databind security update</name></reference><reference><source>REDHAT</source><url>https://access.redhat.com/errata/RHSA-2019:3292</url><name>RHSA-2019:3292</name></reference><reference><source>REDHAT</source><url>https://access.redhat.com/errata/RHSA-2019:2936</url><name>RHSA-2019:2936</name></reference><reference><source>MISC</source><url>https://github.com/FasterXML/jackson-databind/issues/2387</url><name>https://github.com/FasterXML/jackson-databind/issues/2387</name></reference><reference><source>MLIST</source><url>https://lists.apache.org/thread.html/ee0a051428d2c719acfa297d0854a189ea5e284ef3ed491fa672f4be@%3Cdev.tomee.apache.org%3E</url><name>[tomee-dev] 20190905 [GitHub] [tomee] robert-schaft-hon commented on issue #549: [TOMEE-2655] [7.1.x] Updates jackson-databind to 2.9.9.3 to mitigate CVE-2019-12384, CVE-2019-12814, CVE-2019-14379 and CVE-2019-14439</name></reference><reference><source>MLIST</source><url>https://lists.apache.org/thread.html/d161ff3d59c5a8213400dd6afb1cce1fac4f687c32d1e0c0bfbfaa2d@%3Cissues.iceberg.apache.org%3E</url><name>[iceberg-issues] 20191010 [GitHub] [incubator-iceberg] rdblue commented on issue #533: Update Jackson to 2.9.10 for CVE-2019-14379</name></reference><reference><source>REDHAT</source><url>https://access.redhat.com/errata/RHSA-2019:3050</url><name>RHSA-2019:3050</name></reference><reference><source>REDHAT</source><url>https://access.redhat.com/errata/RHSA-2019:2938</url><name>RHSA-2019:2938</name></reference><reference><source>MLIST</source><url>https://lists.apache.org/thread.html/75f482fdc84abe6d0c8f438a76437c335a7bbeb5cddd4d70b4bc0cbf@%3Cissues.iceberg.apache.org%3E</url><name>[iceberg-issues] 20191010 [GitHub] [incubator-iceberg] mccheah commented on issue #535: Update Jackson to 2.9.10 for CVE-2019-14379</name></reference><reference><source>REDHAT</source><url>https://access.redhat.com/errata/RHBA-2019:2824</url><name>RHBA-2019:2824</name></reference><reference><source>REDHAT</source><url>https://access.redhat.com/errata/RHSA-2019:2743</url><name>RHSA-2019:2743</name></reference><reference><source>REDHAT</source><url>https://access.redhat.com/errata/RHSA-2019:2998</url><name>RHSA-2019:2998</name></reference><reference><source>MLIST</source><url>https://lists.apache.org/thread.html/e25e734c315f70d8876a846926cfe3bfa1a4888044f146e844caf72f@%3Ccommits.ambari.apache.org%3E</url><name>[ambari-commits] 20190813 [ambari] branch branch-2.7 updated: AMBARI-25352 : Upgrade fasterxml jackson dependency due to CVE-2019-14379 (#3066)</name></reference><reference><source>MLIST</source><url>https://lists.apache.org/thread.html/8723b52c2544e6cb804bc8a36622c584acd1bd6c53f2b6034c9fea54@%3Cissues.iceberg.apache.org%3E</url><name>[iceberg-issues] 20191010 [GitHub] [incubator-iceberg] rdblue merged pull request #535: Update Jackson to 2.9.10 for CVE-2019-14379</name></reference><reference><source>MISC</source><url>https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html</url><name>https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html</name></reference><reference><source>MLIST</source><url>https://lists.apache.org/thread.html/2d2a76440becb610b9a9cb49b15eac3934b02c2dbcaacde1000353e4@%3Cdev.tomee.apache.org%3E</url><name>[tomee-dev] 20190905 [GitHub] [tomee] rzo1 opened a new pull request #548: [TOMEE-2655] Updates jackson-databind to 2.9.9.3 to mitigate CVE-2019-12384, CVE-2019-12814, CVE-2019-14379 and CVE-2019-14439</name></reference><reference><source>MLIST</source><url>https://lists.apache.org/thread.html/0fcef7321095ce0bc597d468d150cff3d647f4cb3aef3bd4d20e1c69@%3Ccommits.tinkerpop.apache.org%3E</url><name>[tinkerpop-commits] 20190924 [GitHub] [tinkerpop] justinchuch opened a new pull request #1200: Upgrade jackson due to CVE issues</name></reference><reference><source>MLIST</source><url>https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E</url><name>[drill-issues] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities</name></reference><reference><source>MLIST</source><url>https://lists.apache.org/thread.html/689c6bcc6c7612eee71e453a115a4c8581e7b718537025d4b265783d@%3Cissues.iceberg.apache.org%3E</url><name>[iceberg-issues] 20191010 [GitHub] [incubator-iceberg] mccheah opened a new pull request #535: Update Jackson to 2.9.10 for CVE-2019-14379</name></reference><reference><source>MLIST</source><url>https://lists.apache.org/thread.html/6788e4c991f75b89d290ad06b463fcd30bcae99fee610345a35b7bc6@%3Cissues.iceberg.apache.org%3E</url><name>[iceberg-issues] 20191027 [GitHub] [incubator-iceberg] rdsr commented on issue #535: Update Jackson to 2.9.10 for CVE-2019-14379</name></reference><reference><source>REDHAT</source><url>https://access.redhat.com/errata/RHSA-2019:3045</url><name>RHSA-2019:3045</name></reference><reference><source>MLIST</source><url>https://lists.apache.org/thread.html/5fc0e16b7af2590bf1e97c76c136291c4fdb244ee63c65c485c9a7a1@%3Cdev.tomee.apache.org%3E</url><name>[tomee-dev] 20190909 [GitHub] [tomee] jgallimore merged pull request #549: [TOMEE-2655] [7.1.x] Updates jackson-databind to 2.9.9.3 to mitigate CVE-2019-12384, CVE-2019-12814, CVE-2019-14379 and CVE-2019-14439</name></reference><reference><source>MLIST</source><url>https://lists.apache.org/thread.html/859815b2e9f1575acbb2b260b73861c16ca49bca627fa0c46419051f@%3Cissues.iceberg.apache.org%3E</url><name>[iceberg-issues] 20191010 [GitHub] [incubator-iceberg] rdblue opened a new pull request #533: Update Jackson to 2.9.10 for CVE-2019-14379</name></reference><reference><source>MLIST</source><url>https://lists.apache.org/thread.html/56c8042873595b8c863054c7bfccab4bf2c01c6f5abedae249d914b9@%3Cdev.tomee.apache.org%3E</url><name>[tomee-dev] 20190905 [GitHub] [tomee] asf-ci commented on issue #548: [TOMEE-2655] Updates jackson-databind to 2.9.9.3 to mitigate CVE-2019-12384, CVE-2019-12814, CVE-2019-14379 and CVE-2019-14439</name></reference></references><vulnerableSoftware><software versionStartIncluding="2.8.0" versionEndExcluding="2.8.11.4">cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*</software><software>cpe:2.3:a:netapp:oncommand_workflow_automation:-:*:*:*:*:*:*:*</software><software vulnerabilityIdMatched="true" versionStartIncluding="2.9.0" versionEndExcluding="2.9.9.2">cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*</software><software versionStartIncluding="2.7.0" versionEndExcluding="2.7.9.6">cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*</software><software>cpe:2.3:a:netapp:snapcenter:-:*:*:*:*:*:*:*</software></vulnerableSoftware></vulnerability><vulnerability source="NVD"><name>CVE-2019-14439</name><severity>HIGH</severity><cvssV2><score>5.0</score><accessVector>NETWORK</accessVector><accessComplexity>LOW</accessComplexity><authenticationr>NONE</authenticationr><confidentialImpact>PARTIAL</confidentialImpact><integrityImpact>PARTIAL</integrityImpact><availabilityImpact>NONE</availabilityImpact><severity>MEDIUM</severity></cvssV2><cvssV3><baseScore>7.5</baseScore><attackVector>NETWORK</attackVector><attackComplexity>LOW</attackComplexity><privilegesRequired>NONE</privilegesRequired><userInteraction>NONE</userInteraction><scope>UNCHANGED</scope><confidentialityImpact>HIGH</confidentialityImpact><integrityImpact>NONE</integrityImpact><availabilityImpact>NONE</availabilityImpact><baseSeverity>HIGH</baseSeverity></cvssV3><cwes><cwe>CWE-200</cwe></cwes><description>A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9.2. This occurs when Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the logback jar in the classpath.</description><references><reference><source>MLIST</source><url>https://lists.apache.org/thread.html/940b4c3fef002461b89a050935337056d4a036a65ef68e0bbd4621ef@%3Cdev.struts.apache.org%3E</url><name>[struts-dev] 20190908 Build failed in Jenkins: Struts-master-JDK8-dependency-check #204</name></reference><reference><source>MLIST</source><url>https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E</url><name>[drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities</name></reference><reference><source>CONFIRM</source><url>https://security.netapp.com/advisory/ntap-20190814-0001/</url><name>https://security.netapp.com/advisory/ntap-20190814-0001/</name></reference><reference><source>MLIST</source><url>https://lists.apache.org/thread.html/34717424b4d08b74f65c09a083d6dd1cb0763f37a15d6de135998c1d@%3Cdev.tomee.apache.org%3E</url><name>[tomee-dev] 20190905 [GitHub] [tomee] rzo1 opened a new pull request #549: [TOMEE-2655] [7.1.x] Updates jackson-databind to 2.9.9.3 to mitigate CVE-2019-12384, CVE-2019-12814, CVE-2019-14379 and CVE-2019-14439</name></reference><reference><source>MISC</source><url>https://github.com/FasterXML/jackson-databind/compare/jackson-databind-2.9.9.1...jackson-databind-2.9.9.2</url><name>https://github.com/FasterXML/jackson-databind/compare/jackson-databind-2.9.9.1...jackson-databind-2.9.9.2</name></reference><reference><source>MLIST</source><url>https://lists.debian.org/debian-lts-announce/2019/08/msg00011.html</url><name>[debian-lts-announce] 20190812 [SECURITY] [DLA 1879-1] jackson-databind security update</name></reference><reference><source>MLIST</source><url>https://lists.apache.org/thread.html/5ecc333113b139429f4f05000d4aa2886974d4df3269c1dd990bb319@%3Cdev.tomee.apache.org%3E</url><name>[tomee-dev] 20190906 [GitHub] [tomee] rzo1 commented on issue #549: [TOMEE-2655] [7.1.x] Updates jackson-databind to 2.9.9.3 to mitigate CVE-2019-12384, CVE-2019-12814, CVE-2019-14379 and CVE-2019-14439</name></reference><reference><source>FEDORA</source><url>https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TXRVXNRFHJSQWFHPRJQRI5UPMZ63B544/</url><name>FEDORA-2019-fb23eccc03</name></reference><reference><source>OSSINDEX</source><url>https://ossindex.sonatype.org/vuln/ac9dce23-7b35-4691-b05e-a68f58d48b8c</url><name>[CVE-2019-14439] A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x befo...</name></reference><reference><source>MLIST</source><url>https://lists.apache.org/thread.html/ee0a051428d2c719acfa297d0854a189ea5e284ef3ed491fa672f4be@%3Cdev.tomee.apache.org%3E</url><name>[tomee-dev] 20190905 [GitHub] [tomee] robert-schaft-hon commented on issue #549: [TOMEE-2655] [7.1.x] Updates jackson-databind to 2.9.9.3 to mitigate CVE-2019-12384, CVE-2019-12814, CVE-2019-14379 and CVE-2019-14439</name></reference><reference><source>MLIST</source><url>https://lists.apache.org/thread.html/0d4b630d9ee724aee50703397d9d1afa2b2befc9395ba7797d0ccea9@%3Cdev.tomee.apache.org%3E</url><name>[tomee-dev] 20190905 [GitHub] [tomee] asf-ci commented on issue #549: [TOMEE-2655] [7.1.x] Updates jackson-databind to 2.9.9.3 to mitigate CVE-2019-12384, CVE-2019-12814, CVE-2019-14379 and CVE-2019-14439</name></reference><reference><source>MLIST</source><url>https://lists.apache.org/thread.html/3f99ae8dcdbd69438cb733d745ee3ad5e852068490719a66509b4592@%3Ccommits.cassandra.apache.org%3E</url><name>[cassandra-commits] 20190919 [jira] [Created] (CASSANDRA-15328) Bump jackson version to &gt;= 2.9.9.3 to address security vulnerabilities</name></reference><reference><source>FEDORA</source><url>https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OVRZDN2T6AZ6DJCZJ3VSIQIVHBVMVWBL/</url><name>FEDORA-2019-ae6a703b8f</name></reference><reference><source>MISC</source><url>https://github.com/FasterXML/jackson-databind/issues/2389</url><name>https://github.com/FasterXML/jackson-databind/issues/2389</name></reference><reference><source>MLIST</source><url>https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3@%3Ccommits.nifi.apache.org%3E</url><name>[nifi-commits] 20191113 svn commit: r1869773 - /nifi/site/trunk/security.html</name></reference><reference><source>DEBIAN</source><url>https://www.debian.org/security/2019/dsa-4542</url><name>DSA-4542</name></reference><reference><source>MISC</source><url>https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html</url><name>https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html</name></reference><reference><source>MLIST</source><url>https://lists.apache.org/thread.html/2d2a76440becb610b9a9cb49b15eac3934b02c2dbcaacde1000353e4@%3Cdev.tomee.apache.org%3E</url><name>[tomee-dev] 20190905 [GitHub] [tomee] rzo1 opened a new pull request #548: [TOMEE-2655] Updates jackson-databind to 2.9.9.3 to mitigate CVE-2019-12384, CVE-2019-12814, CVE-2019-14379 and CVE-2019-14439</name></reference><reference><source>MLIST</source><url>https://lists.apache.org/thread.html/87e46591de8925f719664a845572d184027258c5a7af0a471b53c77b@%3Cdev.tomee.apache.org%3E</url><name>[tomee-dev] 20190909 [GitHub] [tomee] jgallimore merged pull request #548: [TOMEE-2655] Updates jackson-databind to 2.9.9.3 to mitigate CVE-2019-12384, CVE-2019-12814, CVE-2019-14379 and CVE-2019-14439</name></reference><reference><source>MLIST</source><url>https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E</url><name>[drill-issues] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities</name></reference><reference><source>REDHAT</source><url>https://access.redhat.com/errata/RHSA-2019:3200</url><name>RHSA-2019:3200</name></reference><reference><source>MISC</source><url>https://github.com/FasterXML/jackson-databind/commit/ad418eeb974e357f2797aef64aa0e3ffaaa6125b</url><name>https://github.com/FasterXML/jackson-databind/commit/ad418eeb974e357f2797aef64aa0e3ffaaa6125b</name></reference><reference><source>MLIST</source><url>https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E</url><name>[drill-dev] 20191017 Dependencies used by Drill contain known vulnerabilities</name></reference><reference><source>MLIST</source><url>https://lists.apache.org/thread.html/5fc0e16b7af2590bf1e97c76c136291c4fdb244ee63c65c485c9a7a1@%3Cdev.tomee.apache.org%3E</url><name>[tomee-dev] 20190909 [GitHub] [tomee] jgallimore merged pull request #549: [TOMEE-2655] [7.1.x] Updates jackson-databind to 2.9.9.3 to mitigate CVE-2019-12384, CVE-2019-12814, CVE-2019-14379 and CVE-2019-14439</name></reference><reference><source>BUGTRAQ</source><url>https://seclists.org/bugtraq/2019/Oct/6</url><name>20191007 [SECURITY] [DSA 4542-1] jackson-databind security update</name></reference><reference><source>MLIST</source><url>https://lists.apache.org/thread.html/56c8042873595b8c863054c7bfccab4bf2c01c6f5abedae249d914b9@%3Cdev.tomee.apache.org%3E</url><name>[tomee-dev] 20190905 [GitHub] [tomee] asf-ci commented on issue #548: [TOMEE-2655] Updates jackson-databind to 2.9.9.3 to mitigate CVE-2019-12384, CVE-2019-12814, CVE-2019-14379 and CVE-2019-14439</name></reference></references><vulnerableSoftware><software versionStartIncluding="2.8.0" versionEndIncluding="2.8.11.3">cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*</software><software vulnerabilityIdMatched="true" versionStartIncluding="2.9.0" versionEndExcluding="2.9.9.2">cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*</software><software versionStartIncluding="2.7.0" versionEndIncluding="2.7.9.5">cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*</software></vulnerableSoftware></vulnerability><vulnerability source="NVD"><name>CVE-2019-14540</name><severity>HIGH</severity><cvssV2><score>7.5</score><accessVector>NETWORK</accessVector><accessComplexity>LOW</accessComplexity><authenticationr>NONE</authenticationr><confidentialImpact>PARTIAL</confidentialImpact><integrityImpact>PARTIAL</integrityImpact><availabilityImpact>PARTIAL</availabilityImpact><severity>HIGH</severity></cvssV2><cwes><cwe>CWE-20</cwe></cwes><description>A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariConfig.</description><references><reference><source>MLIST</source><url>https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E</url><name>[drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities</name></reference><reference><source>FEDORA</source><url>https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TH5VFUN4P7CCIP7KSEXYA5MUTFCUDUJT/</url><name>FEDORA-2019-b171554877</name></reference><reference><source>MLIST</source><url>https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3@%3Ccommits.nifi.apache.org%3E</url><name>[nifi-commits] 20191113 svn commit: r1869773 - /nifi/site/trunk/security.html</name></reference><reference><source>DEBIAN</source><url>https://www.debian.org/security/2019/dsa-4542</url><name>DSA-4542</name></reference><reference><source>MISC</source><url>https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html</url><name>https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html</name></reference><reference><source>FEDORA</source><url>https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Q7CANA7KV53JROZDX5Z5P26UG5VN2K43/</url><name>FEDORA-2019-cf87377f5f</name></reference><reference><source>MLIST</source><url>https://lists.apache.org/thread.html/dc6b5cad721a4f6b3b62ed1163894941140d9d5656140fb757505ca0@%3Cissues.hbase.apache.org%3E</url><name>[hbase-issues] 20190926 [jira] [Updated] (HBASE-23075) Upgrade jackson to version 2.9.10 due to CVE-2019-16335 and CVE-2019-14540</name></reference><reference><source>MLIST</source><url>https://lists.apache.org/thread.html/0fcef7321095ce0bc597d468d150cff3d647f4cb3aef3bd4d20e1c69@%3Ccommits.tinkerpop.apache.org%3E</url><name>[tinkerpop-commits] 20190924 [GitHub] [tinkerpop] justinchuch opened a new pull request #1200: Upgrade jackson due to CVE issues</name></reference><reference><source>OSSINDEX</source><url>https://ossindex.sonatype.org/vuln/fc1e8802-77e5-458f-b987-eb778c6ac2fc</url><name>[CVE-2019-14540] A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2...</name></reference><reference><source>MLIST</source><url>https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E</url><name>[drill-issues] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities</name></reference><reference><source>MLIST</source><url>https://lists.apache.org/thread.html/a360b46061c91c5cad789b6c3190aef9b9f223a2b75c9c9f046fe016@%3Cissues.hbase.apache.org%3E</url><name>[hbase-issues] 20190926 [GitHub] [hbase-connectors] SteNicholas opened a new pull request #45: HBASE-23075 Upgrade jackson version</name></reference><reference><source>REDHAT</source><url>https://access.redhat.com/errata/RHSA-2019:3200</url><name>RHSA-2019:3200</name></reference><reference><source>CONFIRM</source><url>https://security.netapp.com/advisory/ntap-20191004-0002/</url><name>https://security.netapp.com/advisory/ntap-20191004-0002/</name></reference><reference><source>MISC</source><url>https://github.com/FasterXML/jackson-databind/issues/2449</url><name>https://github.com/FasterXML/jackson-databind/issues/2449</name></reference><reference><source>CONFIRM</source><url>https://github.com/FasterXML/jackson-databind/blob/master/release-notes/VERSION-2.x</url><name>https://github.com/FasterXML/jackson-databind/blob/master/release-notes/VERSION-2.x</name></reference><reference><source>MLIST</source><url>https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E</url><name>[drill-dev] 20191017 Dependencies used by Drill contain known vulnerabilities</name></reference><reference><source>MLIST</source><url>https://lists.apache.org/thread.html/ad0d238e97a7da5eca47a014f0f7e81f440ed6bf74a93183825e18b9@%3Cissues.hbase.apache.org%3E</url><name>[hbase-issues] 20190926 [jira] [Commented] (HBASE-23075) Upgrade jackson to version 2.9.10 due to CVE-2019-16335 and CVE-2019-14540</name></reference><reference><source>MLIST</source><url>https://lists.debian.org/debian-lts-announce/2019/10/msg00001.html</url><name>[debian-lts-announce] 20191002 [SECURITY] [DLA 1943-1] jackson-databind security update</name></reference><reference><source>MLIST</source><url>https://lists.apache.org/thread.html/e90c3feb21702e68a8c08afce37045adb3870f2bf8223fa403fb93fb@%3Ccommits.hbase.apache.org%3E</url><name>[hbase-commits] 20190927 [hbase-connectors] 02/02: HBASE-23075 Upgrade jackson to version 2.9.10 due to CVE-2019-16335 and CVE-2019-14540</name></reference><reference><source>MLIST</source><url>https://lists.apache.org/thread.html/a4f2c9fb36642a48912cdec6836ec00e497427717c5d377f8d7ccce6@%3Cnotifications.zookeeper.apache.org%3E</url><name>[zookeeper-notifications] 20190925 [GitHub] [zookeeper] maoling commented on issue #1097: ZOOKEEPER-3559 - Update Jackson to 2.9.10</name></reference><reference><source>MISC</source><url>https://github.com/FasterXML/jackson-databind/issues/2410</url><name>https://github.com/FasterXML/jackson-databind/issues/2410</name></reference><reference><source>BUGTRAQ</source><url>https://seclists.org/bugtraq/2019/Oct/6</url><name>20191007 [SECURITY] [DSA 4542-1] jackson-databind security update</name></reference><reference><source>MLIST</source><url>https://lists.apache.org/thread.html/40c00861b53bb611dee7d6f35f864aa7d1c1bd77df28db597cbf27e1@%3Cissues.hbase.apache.org%3E</url><name>[hbase-issues] 20190925 [GitHub] [hbase] SteNicholas opened a new pull request #660: HBASE-23075 Upgrade jackson version</name></reference></references><vulnerableSoftware><software vulnerabilityIdMatched="true" versionEndExcluding="2.9.10">cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*</software></vulnerableSoftware></vulnerability><vulnerability source="NVD"><name>CVE-2019-16335</name><severity>HIGH</severity><cvssV2><score>7.5</score><accessVector>NETWORK</accessVector><accessComplexity>LOW</accessComplexity><authenticationr>NONE</authenticationr><confidentialImpact>PARTIAL</confidentialImpact><integrityImpact>PARTIAL</integrityImpact><availabilityImpact>PARTIAL</availabilityImpact><severity>HIGH</severity></cvssV2><cwes><cwe>CWE-20</cwe></cwes><description>A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariDataSource. This is a different vulnerability than CVE-2019-14540.</description><references><reference><source>MLIST</source><url>https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E</url><name>[drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities</name></reference><reference><source>FEDORA</source><url>https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TH5VFUN4P7CCIP7KSEXYA5MUTFCUDUJT/</url><name>FEDORA-2019-b171554877</name></reference><reference><source>MLIST</source><url>https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3@%3Ccommits.nifi.apache.org%3E</url><name>[nifi-commits] 20191113 svn commit: r1869773 - /nifi/site/trunk/security.html</name></reference><reference><source>DEBIAN</source><url>https://www.debian.org/security/2019/dsa-4542</url><name>DSA-4542</name></reference><reference><source>OSSINDEX</source><url>https://ossindex.sonatype.org/vuln/3242fdc1-bfe9-46a6-af0c-0b8f57f56eb7</url><name>[CVE-2019-16335] A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2...</name></reference><reference><source>MISC</source><url>https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html</url><name>https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html</name></reference><reference><source>FEDORA</source><url>https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Q7CANA7KV53JROZDX5Z5P26UG5VN2K43/</url><name>FEDORA-2019-cf87377f5f</name></reference><reference><source>MLIST</source><url>https://lists.apache.org/thread.html/dc6b5cad721a4f6b3b62ed1163894941140d9d5656140fb757505ca0@%3Cissues.hbase.apache.org%3E</url><name>[hbase-issues] 20190926 [jira] [Updated] (HBASE-23075) Upgrade jackson to version 2.9.10 due to CVE-2019-16335 and CVE-2019-14540</name></reference><reference><source>MLIST</source><url>https://lists.apache.org/thread.html/0fcef7321095ce0bc597d468d150cff3d647f4cb3aef3bd4d20e1c69@%3Ccommits.tinkerpop.apache.org%3E</url><name>[tinkerpop-commits] 20190924 [GitHub] [tinkerpop] justinchuch opened a new pull request #1200: Upgrade jackson due to CVE issues</name></reference><reference><source>MLIST</source><url>https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E</url><name>[drill-issues] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities</name></reference><reference><source>MLIST</source><url>https://lists.apache.org/thread.html/a360b46061c91c5cad789b6c3190aef9b9f223a2b75c9c9f046fe016@%3Cissues.hbase.apache.org%3E</url><name>[hbase-issues] 20190926 [GitHub] [hbase-connectors] SteNicholas opened a new pull request #45: HBASE-23075 Upgrade jackson version</name></reference><reference><source>REDHAT</source><url>https://access.redhat.com/errata/RHSA-2019:3200</url><name>RHSA-2019:3200</name></reference><reference><source>CONFIRM</source><url>https://security.netapp.com/advisory/ntap-20191004-0002/</url><name>https://security.netapp.com/advisory/ntap-20191004-0002/</name></reference><reference><source>MISC</source><url>https://github.com/FasterXML/jackson-databind/issues/2449</url><name>https://github.com/FasterXML/jackson-databind/issues/2449</name></reference><reference><source>MLIST</source><url>https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E</url><name>[drill-dev] 20191017 Dependencies used by Drill contain known vulnerabilities</name></reference><reference><source>MLIST</source><url>https://lists.apache.org/thread.html/ad0d238e97a7da5eca47a014f0f7e81f440ed6bf74a93183825e18b9@%3Cissues.hbase.apache.org%3E</url><name>[hbase-issues] 20190926 [jira] [Commented] (HBASE-23075) Upgrade jackson to version 2.9.10 due to CVE-2019-16335 and CVE-2019-14540</name></reference><reference><source>MLIST</source><url>https://lists.debian.org/debian-lts-announce/2019/10/msg00001.html</url><name>[debian-lts-announce] 20191002 [SECURITY] [DLA 1943-1] jackson-databind security update</name></reference><reference><source>MLIST</source><url>https://lists.apache.org/thread.html/e90c3feb21702e68a8c08afce37045adb3870f2bf8223fa403fb93fb@%3Ccommits.hbase.apache.org%3E</url><name>[hbase-commits] 20190927 [hbase-connectors] 02/02: HBASE-23075 Upgrade jackson to version 2.9.10 due to CVE-2019-16335 and CVE-2019-14540</name></reference><reference><source>BUGTRAQ</source><url>https://seclists.org/bugtraq/2019/Oct/6</url><name>20191007 [SECURITY] [DSA 4542-1] jackson-databind security update</name></reference><reference><source>MLIST</source><url>https://lists.apache.org/thread.html/40c00861b53bb611dee7d6f35f864aa7d1c1bd77df28db597cbf27e1@%3Cissues.hbase.apache.org%3E</url><name>[hbase-issues] 20190925 [GitHub] [hbase] SteNicholas opened a new pull request #660: HBASE-23075 Upgrade jackson version</name></reference></references><vulnerableSoftware><software vulnerabilityIdMatched="true" versionEndExcluding="2.9.10">cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*</software></vulnerableSoftware></vulnerability><vulnerability source="NVD"><name>CVE-2019-16942</name><severity>HIGH</severity><cvssV2><score>7.5</score><accessVector>NETWORK</accessVector><accessComplexity>LOW</accessComplexity><authenticationr>NONE</authenticationr><confidentialImpact>PARTIAL</confidentialImpact><integrityImpact>PARTIAL</integrityImpact><availabilityImpact>PARTIAL</availabilityImpact><severity>HIGH</severity></cvssV2><cwes><cwe>CWE-20</cwe></cwes><description>A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the commons-dbcp (1.4) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of org.apache.commons.dbcp.datasources.SharedPoolDataSource and org.apache.commons.dbcp.datasources.PerUserPoolDataSource mishandling.</description><references><reference><source>MISC</source><url>https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062</url><name>https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062</name></reference><reference><source>MLIST</source><url>https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E</url><name>[drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities</name></reference><reference><source>CONFIRM</source><url>https://security.netapp.com/advisory/ntap-20191017-0006/</url><name>https://security.netapp.com/advisory/ntap-20191017-0006/</name></reference><reference><source>FEDORA</source><url>https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TH5VFUN4P7CCIP7KSEXYA5MUTFCUDUJT/</url><name>FEDORA-2019-b171554877</name></reference><reference><source>MISC</source><url>https://github.com/FasterXML/jackson-databind/issues/2478</url><name>https://github.com/FasterXML/jackson-databind/issues/2478</name></reference><reference><source>DEBIAN</source><url>https://www.debian.org/security/2019/dsa-4542</url><name>DSA-4542</name></reference><reference><source>MLIST</source><url>https://lists.apache.org/thread.html/b2e23c94f9dfef53e04c492e5d02e5c75201734be7adc73a49ef2370@%3Cissues.geode.apache.org%3E</url><name>[geode-issues] 20191008 [jira] [Commented] (GEODE-7255) Need to pick up CVE-2019-16942</name></reference><reference><source>REDHAT</source><url>https://access.redhat.com/errata/RHSA-2019:3901</url><name>RHSA-2019:3901</name></reference><reference><source>FEDORA</source><url>https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Q7CANA7KV53JROZDX5Z5P26UG5VN2K43/</url><name>FEDORA-2019-cf87377f5f</name></reference><reference><source>MLIST</source><url>https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E</url><name>[drill-issues] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities</name></reference><reference><source>OSSINDEX</source><url>https://ossindex.sonatype.org/vuln/07632245-fcef-4eb3-82b6-aadbbfd2b33e</url><name>[CVE-2019-16942] A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 th...</name></reference><reference><source>MLIST</source><url>https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E</url><name>[drill-dev] 20191017 Dependencies used by Drill contain known vulnerabilities</name></reference><reference><source>MLIST</source><url>https://lists.apache.org/thread.html/7782a937c9259a58337ee36b2961f00e2d744feafc13084e176d0df5@%3Cissues.geode.apache.org%3E</url><name>[geode-issues] 20191011 [jira] [Commented] (GEODE-7255) Need to pick up CVE-2019-16942</name></reference><reference><source>MLIST</source><url>https://lists.debian.org/debian-lts-announce/2019/10/msg00001.html</url><name>[debian-lts-announce] 20191002 [SECURITY] [DLA 1943-1] jackson-databind security update</name></reference><reference><source>MISC</source><url>https://issues.apache.org/jira/browse/GEODE-7255</url><name>https://issues.apache.org/jira/browse/GEODE-7255</name></reference><reference><source>BUGTRAQ</source><url>https://seclists.org/bugtraq/2019/Oct/6</url><name>20191007 [SECURITY] [DSA 4542-1] jackson-databind security update</name></reference></references><vulnerableSoftware><software vulnerabilityIdMatched="true" versionStartIncluding="2.0.0" versionEndIncluding="2.9.10">cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*</software></vulnerableSoftware></vulnerability><vulnerability source="NVD"><name>CVE-2019-16943</name><severity>HIGH</severity><cvssV2><score>7.5</score><accessVector>NETWORK</accessVector><accessComplexity>LOW</accessComplexity><authenticationr>NONE</authenticationr><confidentialImpact>PARTIAL</confidentialImpact><integrityImpact>PARTIAL</integrityImpact><availabilityImpact>PARTIAL</availabilityImpact><severity>HIGH</severity></cvssV2><cwes><cwe>CWE-20</cwe></cwes><description>A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the p6spy (3.8.6) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of com.p6spy.engine.spy.P6DataSource mishandling.</description><references><reference><source>MISC</source><url>https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062</url><name>https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062</name></reference><reference><source>MLIST</source><url>https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E</url><name>[drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities</name></reference><reference><source>CONFIRM</source><url>https://security.netapp.com/advisory/ntap-20191017-0006/</url><name>https://security.netapp.com/advisory/ntap-20191017-0006/</name></reference><reference><source>FEDORA</source><url>https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TH5VFUN4P7CCIP7KSEXYA5MUTFCUDUJT/</url><name>FEDORA-2019-b171554877</name></reference><reference><source>MISC</source><url>https://github.com/FasterXML/jackson-databind/issues/2478</url><name>https://github.com/FasterXML/jackson-databind/issues/2478</name></reference><reference><source>OSSINDEX</source><url>https://ossindex.sonatype.org/vuln/f4f0c103-c9d9-4308-bd8f-489f2a632680</url><name>[CVE-2019-16943] A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 th...</name></reference><reference><source>DEBIAN</source><url>https://www.debian.org/security/2019/dsa-4542</url><name>DSA-4542</name></reference><reference><source>MLIST</source><url>https://lists.apache.org/thread.html/5ec8d8d485c2c8ac55ea425f4cd96596ef37312532712639712ebcdd@%3Ccommits.iceberg.apache.org%3E</url><name>[iceberg-commits] 20191028 [incubator-iceberg] branch master updated: Update Jackson to 2.10.0 for CVE-2019-16943 (#583)</name></reference><reference><source>FEDORA</source><url>https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Q7CANA7KV53JROZDX5Z5P26UG5VN2K43/</url><name>FEDORA-2019-cf87377f5f</name></reference><reference><source>MLIST</source><url>https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E</url><name>[drill-issues] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities</name></reference><reference><source>MLIST</source><url>https://lists.apache.org/thread.html/6788e4c991f75b89d290ad06b463fcd30bcae99fee610345a35b7bc6@%3Cissues.iceberg.apache.org%3E</url><name>[iceberg-issues] 20191027 [GitHub] [incubator-iceberg] rdsr commented on issue #535: Update Jackson to 2.9.10 for CVE-2019-14379</name></reference><reference><source>MLIST</source><url>https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E</url><name>[drill-dev] 20191017 Dependencies used by Drill contain known vulnerabilities</name></reference><reference><source>MLIST</source><url>https://lists.debian.org/debian-lts-announce/2019/10/msg00001.html</url><name>[debian-lts-announce] 20191002 [SECURITY] [DLA 1943-1] jackson-databind security update</name></reference><reference><source>BUGTRAQ</source><url>https://seclists.org/bugtraq/2019/Oct/6</url><name>20191007 [SECURITY] [DSA 4542-1] jackson-databind security update</name></reference></references><vulnerableSoftware><software vulnerabilityIdMatched="true" versionStartIncluding="2.0.0" versionEndIncluding="2.9.10">cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*</software></vulnerableSoftware></vulnerability><vulnerability source="NVD"><name>CVE-2019-17267</name><severity>HIGH</severity><cvssV2><score>7.5</score><accessVector>NETWORK</accessVector><accessComplexity>LOW</accessComplexity><authenticationr>NONE</authenticationr><confidentialImpact>PARTIAL</confidentialImpact><integrityImpact>PARTIAL</integrityImpact><availabilityImpact>PARTIAL</availabilityImpact><severity>HIGH</severity></cvssV2><cwes><cwe>CWE-20</cwe></cwes><description>A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup.</description><references><reference><source>MLIST</source><url>https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E</url><name>[drill-issues] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities</name></reference><reference><source>REDHAT</source><url>https://access.redhat.com/errata/RHSA-2019:3200</url><name>RHSA-2019:3200</name></reference><reference><source>MLIST</source><url>https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E</url><name>[drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities</name></reference><reference><source>CONFIRM</source><url>https://security.netapp.com/advisory/ntap-20191017-0006/</url><name>https://security.netapp.com/advisory/ntap-20191017-0006/</name></reference><reference><source>OSSINDEX</source><url>https://ossindex.sonatype.org/vuln/6ce886d0-2dfd-4cef-b9a4-2fb400baf5ef</url><name>[CVE-2019-17267] A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2...</name></reference><reference><source>MLIST</source><url>https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E</url><name>[drill-dev] 20191017 Dependencies used by Drill contain known vulnerabilities</name></reference><reference><source>MISC</source><url>https://github.com/FasterXML/jackson-databind/compare/jackson-databind-2.9.9.3...jackson-databind-2.9.10</url><name>https://github.com/FasterXML/jackson-databind/compare/jackson-databind-2.9.9.3...jackson-databind-2.9.10</name></reference><reference><source>MISC</source><url>https://github.com/FasterXML/jackson-databind/issues/2460</url><name>https://github.com/FasterXML/jackson-databind/issues/2460</name></reference></references><vulnerableSoftware><software vulnerabilityIdMatched="true" versionEndExcluding="2.9.10">cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*</software></vulnerableSoftware></vulnerability><vulnerability source="NVD"><name>CVE-2019-17531</name><severity>HIGH</severity><cvssV2><score>7.5</score><accessVector>NETWORK</accessVector><accessComplexity>LOW</accessComplexity><authenticationr>NONE</authenticationr><confidentialImpact>PARTIAL</confidentialImpact><integrityImpact>PARTIAL</integrityImpact><availabilityImpact>PARTIAL</availabilityImpact><severity>HIGH</severity></cvssV2><cwes><cwe>CWE-20</cwe></cwes><description>A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the apache-log4j-extra (version 1.2.x) jar in the classpath, and an attacker can provide a JNDI service to access, it is possible to make the service execute a malicious payload.</description><references><reference><source>MISC</source><url>https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062</url><name>https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062</name></reference><reference><source>CONFIRM</source><url>https://security.netapp.com/advisory/ntap-20191024-0005/</url><name>https://security.netapp.com/advisory/ntap-20191024-0005/</name></reference><reference><source>MISC</source><url>https://github.com/FasterXML/jackson-databind/issues/2498</url><name>https://github.com/FasterXML/jackson-databind/issues/2498</name></reference><reference><source>OSSINDEX</source><url>https://ossindex.sonatype.org/vuln/ea932c13-011a-4c74-a092-48cd1c49adb4</url><name>[CVE-2019-17531] A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 th...</name></reference></references><vulnerableSoftware><software vulnerabilityIdMatched="true" versionStartIncluding="2.0.0" versionEndIncluding="2.9.10">cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*</software></vulnerableSoftware></vulnerability></vulnerabilities></dependency><dependency isVirtual="false"><fileName>jackson-annotations-2.9.0.jar</fileName><filePath>/home/user/.m2/repository/com/fasterxml/jackson/core/jackson-annotations/2.9.0/jackson-annotations-2.9.0.jar</filePath><md5>c09faa1b063681cf45706c6df50685b6</md5><sha1>07c10d545325e3a6e72e06381afe469fd40eb701</sha1><sha256>45d32ac61ef8a744b464c54c2b3414be571016dd46bfc2bec226761cf7ae457a</sha256><description>Core annotations used for value types, used by Jackson data binding package.
  </description><license>http://www.apache.org/licenses/LICENSE-2.0.txt</license><projectReferences><projectReference>java-demo-project:compile</projectReference></projectReferences><evidenceCollected><evidence type="vendor" confidence="HIGHEST"><source>pom</source><name>groupid</name><value>com.fasterxml.jackson.core</value></evidence><evidence type="vendor" confidence="HIGH"><source>Manifest</source><name>Implementation-Vendor</name><value>FasterXML</value></evidence><evidence type="vendor" confidence="HIGHEST"><source>jar</source><name>package name</name><value>fasterxml</value></evidence><evidence type="vendor" confidence="LOW"><source>Manifest</source><name>require-capability</name><value>osgi.ee;filter:=&quot;(&amp;(osgi.ee=JavaSE)(version=1.6))&quot;</value></evidence><evidence type="vendor" confidence="LOW"><source>Manifest</source><name>implementation-build-date</name><value>2017-07-30 03:53:23+0000</value></evidence><evidence type="vendor" confidence="HIGHEST"><source>jar</source><name>package name</name><value>jackson</value></evidence><evidence type="vendor" confidence="HIGHEST"><source>pom</source><name>url</name><value>http://github.com/FasterXML/jackson</value></evidence><evidence type="vendor" confidence="MEDIUM"><source>pom</source><name>parent-groupid</name><value>com.fasterxml.jackson</value></evidence><evidence type="vendor" confidence="HIGH"><source>pom</source><name>name</name><value>Jackson-annotations</value></evidence><evidence type="vendor" confidence="HIGHEST"><source>pom</source><name>groupid</name><value>fasterxml.jackson.core</value></evidence><evidence type="vendor" confidence="MEDIUM"><source>Manifest</source><name>Implementation-Vendor-Id</name><value>com.fasterxml.jackson.core</value></evidence><evidence type="vendor" confidence="MEDIUM"><source>Manifest</source><name>bundle-symbolicname</name><value>com.fasterxml.jackson.core.jackson-annotations</value></evidence><evidence type="vendor" confidence="LOW"><source>Manifest</source><name>bundle-docurl</name><value>http://github.com/FasterXML/jackson</value></evidence><evidence type="vendor" confidence="HIGH"><source>file</source><name>name</name><value>jackson-annotations</value></evidence><evidence type="vendor" confidence="LOW"><source>pom</source><name>artifactid</name><value>jackson-annotations</value></evidence><evidence type="vendor" confidence="LOW"><source>Manifest</source><name>specification-vendor</name><value>FasterXML</value></evidence><evidence type="vendor" confidence="LOW"><source>pom</source><name>parent-artifactid</name><value>jackson-parent</value></evidence><evidence type="product" confidence="HIGHEST"><source>jar</source><name>package name</name><value>fasterxml</value></evidence><evidence type="product" confidence="LOW"><source>Manifest</source><name>require-capability</name><value>osgi.ee;filter:=&quot;(&amp;(osgi.ee=JavaSE)(version=1.6))&quot;</value></evidence><evidence type="product" confidence="LOW"><source>Manifest</source><name>implementation-build-date</name><value>2017-07-30 03:53:23+0000</value></evidence><evidence type="product" confidence="HIGHEST"><source>jar</source><name>package name</name><value>jackson</value></evidence><evidence type="product" confidence="MEDIUM"><source>Manifest</source><name>Bundle-Name</name><value>Jackson-annotations</value></evidence><evidence type="product" confidence="MEDIUM"><source>pom</source><name>url</name><value>http://github.com/FasterXML/jackson</value></evidence><evidence type="product" confidence="HIGH"><source>pom</source><name>name</name><value>Jackson-annotations</value></evidence><evidence type="product" confidence="LOW"><source>pom</source><name>parent-groupid</name><value>com.fasterxml.jackson</value></evidence><evidence type="product" confidence="LOW"><source>pom</source><name>groupid</name><value>fasterxml.jackson.core</value></evidence><evidence type="product" confidence="HIGH"><source>Manifest</source><name>Implementation-Title</name><value>Jackson-annotations</value></evidence><evidence type="product" confidence="MEDIUM"><source>Manifest</source><name>bundle-symbolicname</name><value>com.fasterxml.jackson.core.jackson-annotations</value></evidence><evidence type="product" confidence="LOW"><source>Manifest</source><name>bundle-docurl</name><value>http://github.com/FasterXML/jackson</value></evidence><evidence type="product" confidence="MEDIUM"><source>Manifest</source><name>specification-title</name><value>Jackson-annotations</value></evidence><evidence type="product" confidence="HIGHEST"><source>pom</source><name>artifactid</name><value>jackson-annotations</value></evidence><evidence type="product" confidence="HIGH"><source>file</source><name>name</name><value>jackson-annotations</value></evidence><evidence type="product" confidence="MEDIUM"><source>pom</source><name>parent-artifactid</name><value>jackson-parent</value></evidence><evidence type="version" confidence="HIGHEST"><source>file</source><name>version</name><value>2.9.0</value></evidence><evidence type="version" confidence="HIGH"><source>Manifest</source><name>Bundle-Version</name><value>2.9.0</value></evidence><evidence type="version" confidence="HIGH"><source>Manifest</source><name>Implementation-Version</name><value>2.9.0</value></evidence><evidence type="version" confidence="HIGHEST"><source>pom</source><name>version</name><value>2.9.0</value></evidence></evidenceCollected><identifiers><package confidence="HIGH"><id>pkg:maven/com.fasterxml.jackson.core/jackson-annotations@2.9.0</id><url>https://ossindex.sonatype.org/component/pkg:maven/com.fasterxml.jackson.core/jackson-annotations@2.9.0</url></package><vulnerabilityIds confidence="HIGH"><id>pkg:maven/com.fasterxml.jackson.core/jackson-annotations@2.9.0</id><url>https://ossindex.sonatype.org/component/pkg:maven/com.fasterxml.jackson.core/jackson-annotations@2.9.0</url></vulnerabilityIds></identifiers></dependency><dependency isVirtual="false"><fileName>jackson-core-2.9.7.jar</fileName><filePath>/home/user/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.9.7/jackson-core-2.9.7.jar</filePath><md5>ae90e61fef491afefbc9c225b6497753</md5><sha1>4b7f0e0dc527fab032e9800ed231080fdc3ac015</sha1><sha256>9e5bc0efabd9f0cac5c1fdd9ae35b16332ed22a0ee19a356de370a18a8cb6c84</sha256><description>Core Jackson processing abstractions (aka Streaming API), implementation for JSON</description><license>http://www.apache.org/licenses/LICENSE-2.0.txt</license><projectReferences><projectReference>java-demo-project:compile</projectReference></projectReferences><evidenceCollected><evidence type="vendor" confidence="HIGHEST"><source>pom</source><name>groupid</name><value>com.fasterxml.jackson.core</value></evidence><evidence type="vendor" confidence="HIGH"><source>Manifest</source><name>Implementation-Vendor</name><value>FasterXML</value></evidence><evidence type="vendor" confidence="MEDIUM"><source>Manifest</source><name>automatic-module-name</name><value>com.fasterxml.jackson.core</value></evidence><evidence type="vendor" confidence="HIGHEST"><source>jar</source><name>package name</name><value>fasterxml</value></evidence><evidence type="vendor" confidence="LOW"><source>Manifest</source><name>require-capability</name><value>osgi.ee;filter:=&quot;(&amp;(osgi.ee=JavaSE)(version=1.6))&quot;</value></evidence><evidence type="vendor" confidence="HIGHEST"><source>pom</source><name>url</name><value>FasterXML/jackson-core</value></evidence><evidence type="vendor" confidence="LOW"><source>pom</source><name>artifactid</name><value>jackson-core</value></evidence><evidence type="vendor" confidence="HIGHEST"><source>jar</source><name>package name</name><value>core</value></evidence><evidence type="vendor" confidence="HIGHEST"><source>jar</source><name>package name</name><value>base</value></evidence><evidence type="vendor" confidence="HIGH"><source>file</source><name>name</name><value>jackson-core</value></evidence><evidence type="vendor" confidence="HIGHEST"><source>jar</source><name>package name</name><value>jackson</value></evidence><evidence type="vendor" confidence="MEDIUM"><source>pom</source><name>parent-groupid</name><value>com.fasterxml.jackson</value></evidence><evidence type="vendor" confidence="MEDIUM"><source>Manifest</source><name>bundle-symbolicname</name><value>com.fasterxml.jackson.core.jackson-core</value></evidence><evidence type="vendor" confidence="HIGHEST"><source>pom</source><name>groupid</name><value>fasterxml.jackson.core</value></evidence><evidence type="vendor" confidence="HIGH"><source>pom</source><name>name</name><value>Jackson-core</value></evidence><evidence type="vendor" confidence="MEDIUM"><source>Manifest</source><name>Implementation-Vendor-Id</name><value>com.fasterxml.jackson.core</value></evidence><evidence type="vendor" confidence="LOW"><source>Manifest</source><name>bundle-docurl</name><value>https://github.com/FasterXML/jackson-core</value></evidence><evidence type="vendor" confidence="LOW"><source>Manifest</source><name>implementation-build-date</name><value>2018-09-19 02:41:39+0000</value></evidence><evidence type="vendor" confidence="LOW"><source>pom</source><name>parent-artifactid</name><value>jackson-base</value></evidence><evidence type="vendor" confidence="LOW"><source>Manifest</source><name>specification-vendor</name><value>FasterXML</value></evidence><evidence type="vendor" confidence="HIGHEST"><source>jar</source><name>package name</name><value>json</value></evidence><evidence type="product" confidence="MEDIUM"><source>Manifest</source><name>automatic-module-name</name><value>com.fasterxml.jackson.core</value></evidence><evidence type="product" confidence="HIGHEST"><source>jar</source><name>package name</name><value>fasterxml</value></evidence><evidence type="product" confidence="LOW"><source>Manifest</source><name>require-capability</name><value>osgi.ee;filter:=&quot;(&amp;(osgi.ee=JavaSE)(version=1.6))&quot;</value></evidence><evidence type="product" confidence="HIGHEST"><source>jar</source><name>package name</name><value>filter</value></evidence><evidence type="product" confidence="HIGHEST"><source>jar</source><name>package name</name><value>core</value></evidence><evidence type="product" confidence="HIGHEST"><source>jar</source><name>package name</name><value>base</value></evidence><evidence type="product" confidence="HIGHEST"><source>pom</source><name>artifactid</name><value>jackson-core</value></evidence><evidence type="product" confidence="HIGH"><source>file</source><name>name</name><value>jackson-core</value></evidence><evidence type="product" confidence="HIGHEST"><source>jar</source><name>package name</name><value>jackson</value></evidence><evidence type="product" confidence="HIGH"><source>Manifest</source><name>Implementation-Title</name><value>Jackson-core</value></evidence><evidence type="product" confidence="LOW"><source>pom</source><name>parent-groupid</name><value>com.fasterxml.jackson</value></evidence><evidence type="product" confidence="LOW"><source>pom</source><name>groupid</name><value>fasterxml.jackson.core</value></evidence><evidence type="product" confidence="MEDIUM"><source>Manifest</source><name>bundle-symbolicname</name><value>com.fasterxml.jackson.core.jackson-core</value></evidence><evidence type="product" confidence="MEDIUM"><source>Manifest</source><name>specification-title</name><value>Jackson-core</value></evidence><evidence type="product" confidence="HIGH"><source>pom</source><name>url</name><value>FasterXML/jackson-core</value></evidence><evidence type="product" confidence="HIGH"><source>pom</source><name>name</name><value>Jackson-core</value></evidence><evidence type="product" confidence="LOW"><source>Manifest</source><name>bundle-docurl</name><value>https://github.com/FasterXML/jackson-core</value></evidence><evidence type="product" confidence="MEDIUM"><source>Manifest</source><name>Bundle-Name</name><value>Jackson-core</value></evidence><evidence type="product" confidence="LOW"><source>Manifest</source><name>implementation-build-date</name><value>2018-09-19 02:41:39+0000</value></evidence><evidence type="product" confidence="HIGHEST"><source>jar</source><name>package name</name><value>json</value></evidence><evidence type="product" confidence="MEDIUM"><source>pom</source><name>parent-artifactid</name><value>jackson-base</value></evidence><evidence type="product" confidence="HIGHEST"><source>jar</source><name>package name</name><value>version</value></evidence><evidence type="version" confidence="HIGH"><source>Manifest</source><name>Implementation-Version</name><value>2.9.7</value></evidence><evidence type="version" confidence="HIGH"><source>Manifest</source><name>Bundle-Version</name><value>2.9.7</value></evidence><evidence type="version" confidence="HIGHEST"><source>pom</source><name>version</name><value>2.9.7</value></evidence><evidence type="version" confidence="HIGHEST"><source>file</source><name>version</name><value>2.9.7</value></evidence></evidenceCollected><identifiers><package confidence="HIGH"><id>pkg:maven/com.fasterxml.jackson.core/jackson-core@2.9.7</id><url>https://ossindex.sonatype.org/component/pkg:maven/com.fasterxml.jackson.core/jackson-core@2.9.7</url></package><vulnerabilityIds confidence="HIGH"><id>pkg:maven/com.fasterxml.jackson.core/jackson-core@2.9.7</id><url>https://ossindex.sonatype.org/component/pkg:maven/com.fasterxml.jackson.core/jackson-core@2.9.7</url></vulnerabilityIds></identifiers></dependency></dependencies></analysis>