Details
-
Improvement
-
Status: Closed
-
Blocker
-
Resolution: Fixed
-
3.6.0, 3.5.5, 3.4.14
Description
Currently OWASP plugin is reporting these vulnerabilities:
| CVE-2018-14719 | CWE-502 Deserialization of Untrusted Data | High(7.5) | jackson-databind-2.9.5.jar |
| CVE-2018-14720 | CWE-611 Improper Restriction of XML External Entity Reference ('XXE') | High(7.5) | jackson-databind-2.9.5.jar |
| CVE-2018-14721 | CWE-918 Server-Side Request Forgery (SSRF) | High(7.5) | jackson-databind-2.9.5.jar |
| CVE-2018-19360 | CWE-502 Deserialization of Untrusted Data | High(7.5) | jackson-databind-2.9.5.jar |
| CVE-2018-19361 | CWE-502 Deserialization of Untrusted Data | High(7.5) | jackson-databind-2.9.5.jar |
| CVE-2018-19362 | CWE-502 Deserialization of Untrusted Data | High(7.5) | jackson-databind-2.9.5.jar |
| CVE-2017-7657 | CWE-190 Integer Overflow or Wraparound | High(7.5) | jetty-http-9.4.10.v20180503.jar |
| CVE-2017-7658 | CWE-19 Data Processing Errors | High(7.5) | jetty-http-9.4.10.v20180503.jar |
| CVE-2018-1000873 | CWE-20 Improper Input Validation | Medium(5.0) | jackson-databind-2.9.5.jar |
| CVE-2017-7656 | CWE-284 Improper Access Control | Medium(5.0) | jetty-http-9.4.10.v20180503.jar |
| CVE-2018-12536 | CWE-200 Information Exposure | Medium(5.0) | jetty-http-9.4.10.v20180503.jar |
| CVE-2018-12056 | CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) | Medium(5.0) | netty-all-4.1.29.Final.jar |
We have to upgrade all of them or add suppressions
in the Maven build we also have;
pom.xml: CVE-2018-8012, CVE-2016-5017
