Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2023.5764
Security Bulletin: IBM Disconnected Log Collector is
vulnerable to using components with known vulnerabilities
6 October 2023
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: IBM Security QRadar SIEM
Publisher: IBM
Operating System: Linux variants
Resolution: Patch/Upgrade
CVE Names: CVE-2023-25194 CVE-2023-1436 CVE-2022-45693
CVE-2022-45685 CVE-2022-42004 CVE-2022-42003
CVE-2022-41966 CVE-2022-41946 CVE-2022-41915
CVE-2022-41881 CVE-2022-40156 CVE-2022-40155
CVE-2022-40154 CVE-2022-40153 CVE-2022-40152
CVE-2022-40151 CVE-2022-40150 CVE-2022-40149
CVE-2022-34917 CVE-2022-31684 CVE-2022-31197
CVE-2022-31159 CVE-2022-30187 CVE-2022-25857
CVE-2022-25647 CVE-2022-24823 CVE-2022-22447
CVE-2022-21724 CVE-2022-3510 CVE-2022-3509
CVE-2022-3171 CVE-2022-1471 CVE-2021-39034
CVE-2021-37533 CVE-2021-22569 CVE-2021-20190
CVE-2020-36518 CVE-2020-36189 CVE-2020-36188
CVE-2020-36187 CVE-2020-36186 CVE-2020-36185
CVE-2020-36184 CVE-2020-36183 CVE-2020-36182
CVE-2020-36181 CVE-2020-36180 CVE-2020-36179
CVE-2020-35728 CVE-2020-35491 CVE-2020-35490
CVE-2020-24750 CVE-2020-24616 CVE-2020-14195
CVE-2020-14062 CVE-2020-14061 CVE-2020-14060
CVE-2020-13956 CVE-2020-11620 CVE-2020-11619
CVE-2020-11113 CVE-2020-11112 CVE-2020-11111
CVE-2020-10969 CVE-2020-10968 CVE-2020-10683
CVE-2020-10673 CVE-2020-10672 CVE-2020-9548
CVE-2020-9547 CVE-2020-9546 CVE-2020-8908
CVE-2020-8840 CVE-2020-4682 CVE-2019-20330
CVE-2019-17531 CVE-2019-17267 CVE-2019-16943
CVE-2019-16942 CVE-2019-16335 CVE-2019-14893
CVE-2019-14892 CVE-2019-14540 CVE-2019-14439
CVE-2019-14379 CVE-2019-12814 CVE-2019-12384
CVE-2019-12086 CVE-2019-10202 CVE-2019-4378
CVE-2018-19362 CVE-2018-19361 CVE-2018-19360
CVE-2018-14721 CVE-2018-14720 CVE-2018-14719
CVE-2018-14718 CVE-2018-12023 CVE-2018-12022
CVE-2018-11307
Original Bulletin:
https://www.ibm.com/support/pages/node/7042313
Comment: CVSS (Max): 9.8 CVE-2021-20190 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVSS Source: IBM
Calculator: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- --------------------------BEGIN INCLUDED TEXT--------------------
Security Bulletin: IBM Disconnected Log Collector is vulnerable to using
components with known vulnerabilities
Document Information
More support for: IBM Security QRadar SIEM
Software version: 7.5.0
Operating system(s): Linux
Document number: 7042313
Modified date: 29 September 2023
UID: ibm17042313
Security Bulletin
Summary
The product includes vulnerable components (e.g., framework libraries) that may
be identified and exploited with automated tools. This update addresses these
CVEs.
Vulnerability Details
CVEID: CVE-2022-21724
DESCRIPTION: PostgreSQL JDBC Driver (PgJDBC) could allow a remote
authenticated attacker to execute arbitrary code on the system, caused by an
unchecked class instantiation when providing plugin classes. By sending a
specially-crafted request using the "authenticationPluginClassName",
"sslhostnameverifier", "socketFactory", "sslfactory", "sslpasswordcallback"
classes, an attacker could exploit this vulnerability to execute arbitrary code
on the system.
CVSS Base score: 8.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
218798 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H)
CVEID: CVE-2022-31197
DESCRIPTION: PostgreSQL is vulnerable to SQL injection. A remote attacker
could send specially-crafted SQL statements to PGJDBC implementation of the
java.sql.ResultRow.refreshRow() method, which could allow the attacker to view,
add, modify or delete information in the back-end database.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
232820 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)
CVEID: CVE-2022-3510
DESCRIPTION: protobuf-java core and lite are vulnerable to a denial of
service, caused by a flaw in the parsing procedure for Message-Type Extensions.
By sending non-repeated embedded messages with repeated or unknown fields, a
remote authenticated attacker could exploit this vulnerability to cause long
garbage collection pauses.
CVSS Base score: 5.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
239916 for the current score.
CVSS Vector: (CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2019-4378
DESCRIPTION: IBM MQ 7.5.0.0 - 7.5.0.9, 7.1.0.0 - 7.1.0.9, 8.0.0.0 - 8.0.0.12,
9.0.0.0 - 9.0.0.6, 9.1.0.0 - 9.1.0.2, and 9.1.0 - 9.1.2 command server is
vulnerable to a denial of service attack caused by an authenticated and
authorized user using specially crafted PCF messages. IBM X-Force ID: 162084.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
162084 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2022-40149
DESCRIPTION: jettison-json Jettison is vulnerable to a denial of service,
caused by a stack-based buffer overflow. By sending a specially-crafted XML or
JSON data, a remote authenticated attacker could exploit this vulnerability to
causes the parser to crash, and results in a denial of service condition.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
236352 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2022-40150
DESCRIPTION: jettison-json Jettison is vulnerable to a denial of service,
caused by an out of memory flaw. By sending a specially-crafted XML or JSON
data, a remote authenticated attacker could exploit this vulnerability to
causes the parser to crash, and results in a denial of service condition.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
236353 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2020-4682
DESCRIPTION: IBM MQ 7.5, 8.0, 9.0, 9.1, 9.2 LTS, and 9.2 CD could allow a
remote attacker to execute arbitrary code on the system, caused by an unsafe
deserialization of trusted data. An attacker could exploit this vulnerability
to execute arbitrary code on the system. IBM X-Force ID: 186509.
CVSS Base score: 8.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
186509 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2021-39034
DESCRIPTION: IBM MQ 9.1 LTS is vulnerable to a denial of service attack
caused by an issue within the channel process. IBM X-Force ID: 213964.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
213964 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2022-41946
DESCRIPTION: Postgresql JDBC could allow a local authenticated attacker to
obtain sensitive information, caused by not limit access to created readable
files in the TemporaryFolder. By sending a specially-crafted request, an
attacker could exploit this vulnerability to obtain sensitive information, and
use this information to launch further attacks against the affected system.
CVSS Base score: 6.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
240853 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N)
CVEID: CVE-2020-8908
DESCRIPTION: Guava could allow a remote authenticated attacker to bypass
security restrictions, caused by a temp directory creation vulnerability in
com.google.common.io.Files.createTempDir(). By sending a specially-crafted
request, an attacker could exploit this vulnerability to bypass access
restrictions.
CVSS Base score: 5.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
192996 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N)
CVEID: CVE-2023-1436
DESCRIPTION: Jettison is vulnerable to a denial of service, caused by an
infinite recursion when constructing a JSONArray from a Collection that
contains a self-reference in one of its elements. A remote attacker could
exploit this vulnerability to cause a denial of service.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
250490 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID: CVE-2022-22447
DESCRIPTION: IBM Disconnected Log Collector is vulnerable to potential
security misconfigurations that could disclose unintended information.
CVSS Base score: 4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
224648 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
CVEID: CVE-2022-42004
DESCRIPTION: FasterXML jackson-databind is vulnerable to a denial of service,
caused by a lack of a check in in the BeanDeserializer._deserializeFromArray
function. By sending a specially-crafted request using deeply nested arrays, a
local attacker could exploit this vulnerability to exhaust all available
resources.
CVSS Base score: 6.2
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
237660 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2022-42003
DESCRIPTION: FasterXML jackson-databind is vulnerable to a denial of service,
caused by a lack of a check in the primitive value deserializers when the
UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. By sending a specially-crafted
request using deep wrapper array nesting, a local attacker could exploit this
vulnerability to exhaust all available resources.
CVSS Base score: 6.2
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
237662 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2022-1471
DESCRIPTION: SnakeYaml could allow a remote authenticated attacker to execute
arbitrary code on the system, caused by an unsafe deserialization in the
Constructor class. By using a specially-crafted yaml content, an attacker could
exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 8.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
241118 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L)
CVEID: CVE-2022-25857
DESCRIPTION: Java package org.yaml:snakeyam is vulnerable to a denial of
service, caused by missing to nested depth limitation for collections. By
sending a specially-crafted request, a remote attacker could exploit this
vulnerability to cause a denial of service.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
234864 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2023-25194
DESCRIPTION: Apache Kafka could allow a remote authenticated attacker to
execute arbitrary code on the system, caused by an unsafe deserialization when
configuring the connector via the Kafka Connect REST API. By sending
specially-crafted request, an attacker could exploit this vulnerability to
execute arbitrary code or cause a denial of service on the system.
CVSS Base score: 8.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
246698 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2022-31684
DESCRIPTION: Tanzu VMware Reactor Netty could allow a remote authenticated
attacker to obtain sensitive information, caused by the log of request headers
in some cases of invalid HTTP requests. By gaining access to the log file, an
attacker could exploit this vulnerability to obtain valid access tokens
information, and use this information to launch further attacks against the
affected system.
CVSS Base score: 4.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
240579 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)
CVEID: CVE-2020-13956
DESCRIPTION: Apache HttpClient could allow a remote attacker to bypass
security restrictions, caused by the improper handling of malformed authority
component in request URIs. By passing request URIs to the library as
java.net.URI object, an attacker could exploit this vulnerability to pick the
wrong target host for request execution.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
189572 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
CVEID: CVE-2022-34917
DESCRIPTION: Apache Kafka is vulnerable to a denial of service, caused by
improper input validation. By sending a specially-crafted request, a remote
attacker could exploit this vulnerability to allocate large amounts of memory
on brokers, and results in a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
236498 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2022-40151
DESCRIPTION: XStream is vulnerable to a denial of service, caused by a
stack-based buffer overflow. By sending a specially-crafted XML data, a remote
authenticated attacker could exploit this vulnerability to causes the parser to
crash, and results in a denial of service condition.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
236354 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2022-41966
DESCRIPTION: XStream is vulnerable to a denial of service, caused by a
stack-based buffer overflow. By manipulating the processed input stream at
unmarshalling time, a remote attacker could exploit this vulnerability to
replace or inject objects and cause a denial of service.
CVSS Base score: 8.2
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
243448 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H)
CVEID: CVE-2022-25647
DESCRIPTION: Google Gson is vulnerable to a denial of service, caused by the
deserialization of untrusted data. By using the writeReplace() method, a remote
attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 7.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
217225 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:H)
CVEID: CVE-2018-12023
DESCRIPTION: An unspecified vulnerability in multiple Oracle products could
allow an unauthenticated attacker to take control of the system.
CVSS Base score: 8.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
151425 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2019-17531
DESCRIPTION: FasterXML jackson-databind could allow a remote attacker to
execute arbitrary code on the system, caused by a polymorphic typing issue when
Default Typing is enabled. By sending a specially-crafted request, an attacker
could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
169073 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2020-36183
DESCRIPTION: FasterXML jackson-databind could allow a remote attacker to
execute arbitrary code on the system, caused by an unsafe deserialization
between gadgets and typing, related to
org.docx4j.org.apache.xalan.lib.sql.JNDIConnectionPool. By sending a
specially-crafted input, an attacker could exploit this vulnerability to
execute arbitrary code on the system.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
194378 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2020-11113
DESCRIPTION: FasterXML jackson-databind could allow a remote attacker to
execute arbitrary code on the system, caused by an unsafe deserialization in
org.apache.openjpa.ee.WASRegistryManagedRuntime (aka openjpa). By sending
specially-crafted input, an attacker could exploit this vulnerability to
execute arbitrary code on the system.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
178903 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2019-14439
DESCRIPTION: FasterXML jackson-databind could allow a remote attacker to
obtain sensitive information, caused by a polymorphic typing issue when Default
Typing is enabled. A remote attacker could exploit this vulnerability to obtain
sensitive information.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
164744 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
CVEID: CVE-2020-36184
DESCRIPTION: FasterXML jackson-databind could allow a remote attacker to
execute arbitrary code on the system, caused by an unsafe deserialization
between gadgets and typing, related to
org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource. By sending a
specially-crafted input, an attacker could exploit this vulnerability to
execute arbitrary code on the system.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
194379 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2020-14061
DESCRIPTION: FasterXML jackson-databind could allow a remote attacker to
execute arbitrary code on the system, caused by an unsafe deserialization in
oracle.jms.AQjmsQueueConnectionFactory,
oracle.jms.AQjmsXATopicConnectionFactory,
oracle.jms.AQjmsTopicConnectionFactory,
oracle.jms.AQjmsXAQueueConnectionFactory, and
oracle.jms.AQjmsXAConnectionFactory (aka weblogic/oracle-aqjms). By sending
specially-crafted input, an attacker could exploit this vulnerability to
execute arbitrary code on the system.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
183424 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2020-10969
DESCRIPTION: FasterXML jackson-databind could allow a remote attacker to
execute arbitrary code on the system, caused by an unsafe deserialization in
javax.swing.JEditorPane. By sending specially-crafted input, an attacker could
exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
178546 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2019-16942
DESCRIPTION: FasterXML jackson-databind could allow a remote attacker to
execute arbitrary code on the system, caused by a polymorphic typing issue in
the commons-dbcp class. By sending a specially-crafted request, an attacker
could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
168254 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2020-11620
DESCRIPTION: FasterXML jackson-databind could allow a remote attacker to
execute arbitrary code on the system, caused by an unsafe deserialization in
org.apache.commons.jelly.impl.Embedded (aka commons-jelly). By sending
specially-crafted input, an attacker could exploit this vulnerability to
execute arbitrary code on the system.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
179431 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2018-19361
DESCRIPTION: An unspecified error with failure to block the openjpa class
from polymorphic deserialization in FasterXML jackson-databind has an unknown
impact and attack vector.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
155092 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
CVEID: CVE-2019-10202
DESCRIPTION: Red Hat JBoss Enterprise Application Platform (EAP) could allow
a remote attacker to execute arbitrary code on the system, caused by improper
deserialization in Codehaus. By sending a specially-crafted request, an
attacker could exploit this vulnerability to execute arbitrary code on the
system.
CVSS Base score: 8.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
168251 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2020-10673
DESCRIPTION: FasterXML jackson-databind could allow a remote attacker to
execute arbitrary code on the system, caused by an unsafe deserialization in
com.caucho.config.types.ResourceRef (aka caucho-quercus). By sending
specially-crafted input, an attacker could exploit this vulnerability to
execute arbitrary code on the system.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
178107 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2019-14379
DESCRIPTION: FasterXML jackson-databind could allow a remote attacker to
execute arbitrary code on the system, caused by a flaw in the
SubTypeValidator.java. An attacker could exploit this vulnerability to execute
arbitrary code on the system.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
165286 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2020-36518
DESCRIPTION: FasterXML jackson-databind is vulnerable to a denial of service,
caused by a Java StackOverflow exception. By using a large depth of nested
objects, a remote attacker could exploit this vulnerability to cause a denial
of service.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
222319 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2019-16335
DESCRIPTION: FasterXML jackson-databind could allow a remote attacker to
obtain sensitive information, caused by a polymorphic typing issue in
com.zaxxer.hikari.HikariDataSource. A remote attacker could exploit this
vulnerability to obtain sensitive information.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
167205 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
CVEID: CVE-2018-14720
DESCRIPTION: FasterXML jackson-databind could allow a remote attacker to
obtain sensitive information, caused by an XML external entity (XXE) error when
processing XML data by JDK classes. By sending a specially-crafted XML data. A
remote attacker could exploit this vulnerability to obtain sensitive
information.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
155137 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
CVEID: CVE-2020-36182
DESCRIPTION: FasterXML jackson-databind could allow a remote attacker to
execute arbitrary code on the system, caused by an unsafe deserialization
between gadgets and typing, related to
org.apache.tomcat.dbcp.dbcp2.cpdsadapter.DriverAdapterCPDS. By sending a
specially-crafted input, an attacker could exploit this vulnerability to
execute arbitrary code on the system.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
194377 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2020-11112
DESCRIPTION: FasterXML jackson-databind could allow a remote attacker to
execute arbitrary code on the system, caused by an unsafe deserialization in
org.apache.commons.proxy.provider.remoting.RmiProvider (aka apache/
commons-proxy). By sending specially-crafted input, an attacker could exploit
this vulnerability to execute arbitrary code on the system.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
178902 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2019-12814
DESCRIPTION: FasterXML jackson-databind could allow a remote attacker to
obtain sensitive information, caused by a polymorphic typing issue. By sending
a specially-crafted JSON message, an attacker could exploit this vulnerability
to read arbitrary local files on the server.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
162875 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
CVEID: CVE-2020-36187
DESCRIPTION: FasterXML jackson-databind could allow a remote attacker to
execute arbitrary code on the system, caused by an unsafe deserialization
between gadgets and typing, related to
org.apache.tomcat.dbcp.dbcp.datasources.SharedPoolDataSource. By sending a
specially-crafted input, an attacker could exploit this vulnerability to
execute arbitrary code on the system.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
194382 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2020-14062
DESCRIPTION: FasterXML jackson-databind could allow a remote attacker to
execute arbitrary code on the system, caused by an unsafe deserialization in
com.sun.org.apache.xalan.internal.lib.sql.JNDIConnectionPool (aka xalan2). By
sending specially-crafted input, an attacker could exploit this vulnerability
to execute arbitrary code on the system.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
183425 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2020-36189
DESCRIPTION: FasterXML jackson-databind could allow a remote attacker to
execute arbitrary code on the system, caused by an unsafe deserialization
between gadgets and typing, related to
com.newrelic.agent.deps.ch.qos.logback.core.db.DriverManagerConnectionSource.
By sending a specially-crafted input, an attacker could exploit this
vulnerability to execute arbitrary code on the system.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
194384 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2020-8840
DESCRIPTION: Multiple Huawei products could allow a remote attacker to
execute arbitrary code on the system, caused by the deserialization of data
without proper validation. By sending a specially crafted request, an attacker
could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
185699 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
CVEID: CVE-2020-36181
DESCRIPTION: FasterXML jackson-databind could allow a remote attacker to
execute arbitrary code on the system, caused by an unsafe deserialization
between gadgets and typing, related to
org.apache.tomcat.dbcp.dbcp.cpdsadapter.DriverAdapterCPDS. By sending a
specially-crafted input, an attacker could exploit this vulnerability to
execute arbitrary code on the system.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
194376 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2018-19360
DESCRIPTION: An unspecified error with failure to block the
axis2-transport-jms class from polymorphic deserialization in FasterXML
jackson-databind has an unknown impact and attack vector.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
155091 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
CVEID: CVE-2021-20190
DESCRIPTION: FasterXML jackson-databind could allow a remote attacker to
execute arbitrary code on the system, caused by an unsafe deserialization
between gadgets and typing, related to a class(es) of JDK Swing. By sending a
specially-crafted input, an attacker could exploit this vulnerability to
execute arbitrary code on the system.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
195243 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2020-14195
DESCRIPTION: FasterXML jackson-databind could allow a remote attacker to
execute arbitrary code on the system, caused by an unsafe deserialization in
rg.jsecurity.realm.jndi.JndiRealmFactory (aka org.jsecurity). By sending
specially-crafted input, an attacker could exploit this vulnerability to
execute arbitrary code on the system.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
183495 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2020-9547
DESCRIPTION: FasterXML jackson-databind could allow a remote attacker to
execute arbitrary code on the system, caused by the mishandling of interaction
between serialization gadgets and typing in
com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig (aka
ibatis-sqlmap). By sending a specially-crafted request, an attacker could
exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
177103 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2018-14719
DESCRIPTION: FasterXML jackson-databind could allow a remote attacker to
execute arbitrary code on the system, caused by the failure to block the
blaze-ds-opt and blaze-ds-core classes from polymorphic deserialization. An
attacker could exploit this vulnerability to execute arbitrary code on the
system.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
155138 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2018-14721
DESCRIPTION: FasterXML jackson-databind is vulnerable to server-side request
forgery, caused by the failure to block the axis2-jaxws class from polymorphic
deserialization. A remote authenticated attacker could exploit this
vulnerability to obtain sensitive data.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
155136 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
CVEID: CVE-2020-11619
DESCRIPTION: FasterXML jackson-databind could allow a remote attacker to
execute arbitrary code on the system, caused by an unsafe deserialization in
org.springframework.aop.config.MethodLocatingFactoryBean (aka spring-aop). By
sending specially-crafted input, an attacker could exploit this vulnerability
to execute arbitrary code on the system.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
179430 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2020-36185
DESCRIPTION: FasterXML jackson-databind could allow a remote attacker to
execute arbitrary code on the system, caused by an unsafe deserialization
between gadgets and typing, related to
org.apache.tomcat.dbcp.dbcp2.datasources.SharedPoolDataSource. By sending a
specially-crafted input, an attacker could exploit this vulnerability to
execute arbitrary code on the system.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
194380 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2020-24616
DESCRIPTION: FasterXML jackson-databind could allow a remote attacker to
execute arbitrary code on the system, caused by an unsafe deserialization
between gadgets and typing, related to
br.com.anteros.dbcp.AnterosDBCPDataSource (aka Anteros-DBCP). By sending
specially-crafted input, an attacker could exploit this vulnerability to
execute arbitrary code on the system.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
187229 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2020-35728
DESCRIPTION: FasterXML jackson-databind could allow a remote attacker to
execute arbitrary code on the system, caused by an unsafe deserialization
between gadgets and typing, related to
com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool. By sending a
specially-crafted input, an attacker could exploit this vulnerability to
execute arbitrary code on the system.
CVSS Base score: 8.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
193843 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2020-36186
DESCRIPTION: FasterXML jackson-databind could allow a remote attacker to
execute arbitrary code on the system, caused by an unsafe deserialization
between gadgets and typing, related to
org.apache.tomcat.dbcp.dbcp.datasources.PerUserPoolDataSource. By sending a
specially-crafted input, an attacker could exploit this vulnerability to
execute arbitrary code on the system.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
194381 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2019-14893
DESCRIPTION: FasterXML jackson-databind could allow a remote attacker to
execute arbitrary code on the system, caused by an unsafe deserialization when
using the xalan JNDI gadget. By sending specially-crafted input, an attacker
could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
177108 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2018-11307
DESCRIPTION: FasterXML jackson-databind could allow a remote attacker to
obtain sensitive information, caused by an issue when untrusted content is
deserialized with default typing enabled. By sending specially-crafted content
over FTP, an attacker could exploit this vulnerability to obtain sensitive
information.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
163528 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
CVEID: CVE-2019-16943
DESCRIPTION: FasterXML jackson-databind could allow a remote attacker to
execute arbitrary code on the system, caused by a polymorphic typing issue in
the p6spy class. By sending a specially-crafted request, an attacker could
exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
168255 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2020-36180
DESCRIPTION: FasterXML jackson-databind could allow a remote attacker to
execute arbitrary code on the system, caused by an unsafe deserialization
between gadgets and typing, related to
org.apache.commons.dbcp2.cpdsadapter.DriverAdapterCPDS. By sending a
specially-crafted input, an attacker could exploit this vulnerability to
execute arbitrary code on the system.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
194375 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2020-11111
DESCRIPTION: FasterXML jackson-databind could allow a remote attacker to
execute arbitrary code on the system, caused by an unsafe deserialization in
org.apache.activemq.* (aka activemq-jms, activemq-core, activemq-pool, and
activemq-pool-jms). By sending specially-crafted input, an attacker could
exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
178901 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2019-14892
DESCRIPTION: FasterXML jackson-databind could allow a remote attacker to
execute arbitrary code on the system, caused by an unsafe deserialization when
using commons-configuration 1 and 2 JNDI classes. By sending specially-crafted
input, an attacker could exploit this vulnerability to execute arbitrary code
on the system.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
177106 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2020-9548
DESCRIPTION: FasterXML jackson-databind could allow a remote attacker to
execute arbitrary code on the system, caused by the mishandling of interaction
between serialization gadgets and typing in
br.com.anteros.dbcp.AnterosDBCPConfig (aka anteros-core). By sending a
specially-crafted request, an attacker could exploit this vulnerability to
execute arbitrary code on the system.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
177104 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2018-14718
DESCRIPTION: FasterXML jackson-databind could allow a remote attacker to
execute arbitrary code on the system, caused by the failure to block the
slf4j-ext class from polymorphic deserialization. An attacker could exploit
this vulnerability to execute arbitrary code on the system.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
155139 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2019-14540
DESCRIPTION: FasterXML jackson-databind could allow a remote attacker to
obtain sensitive information, caused by a polymorphic typing issue in
com.zaxxer.hikari.HikariConfig. A remote attacker could exploit this
vulnerability to obtain sensitive information.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
167354 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
CVEID: CVE-2019-12086
DESCRIPTION: FasterXML jackson-databind could allow a remote attacker to
obtain sensitive information, caused by a Polymorphic Typing issue that occurs
due to missing com.mysql.cj.jdbc.admin.MiniAdmin validation. By sending a
specially-crafted JSON message, a remote attacker could exploit this
vulnerability to read arbitrary local files on the server.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
161256 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
CVEID: CVE-2018-12022
DESCRIPTION: FasterXML jackson-databind could allow a remote attacker to
execute arbitrary code on the system, caused by a flaw when the Default Typing
is enabled. By sending a specially-crafted request in LDAP service, an attacker
could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
163227 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2019-17267
DESCRIPTION: FasterXML jackson-databind could provide weaker than expected
security, caused by a polymorphic typing issue in the
net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup. A remote attacker
could exploit this vulnerability to launch further attacks on the system.
CVSS Base score: 7.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
168514 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
CVEID: CVE-2020-35491
DESCRIPTION: FasterXML jackson-databind could allow a remote attacker to
execute arbitrary code on the system, caused by an unsafe deserialization
between gadgets and typing, related to
org.apache.commons.dbcp2.datasources.SharedPoolDataSource. By sending
specially-crafted input, an attacker could exploit this vulnerability to
execute arbitrary code on the system.
CVSS Base score: 8.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
193394 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2020-14060
DESCRIPTION: FasterXML jackson-databind could allow a remote attacker to
execute arbitrary code on the system, caused by an unsafe deserialization in
oadd.org.apache.xalan.lib.sql.JNDIConnectionPool (aka apache/drill). By sending
specially-crafted input, an attacker could exploit this vulnerability to
execute arbitrary code on the system.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
183422 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2020-10968
DESCRIPTION: FasterXML jackson-databind could allow a remote attacker to
execute arbitrary code on the system, caused by an unsafe deserialization in
org.aoju.bus.proxy.provider.remoting.RmiProvider (aka bus-proxy). By sending
specially-crafted input, an attacker could exploit this vulnerability to
execute arbitrary code on the system.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
178544 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2019-12384
DESCRIPTION: FasterXML jackson-databind could allow a remote attacker to
execute arbitrary code on the system, caused by the failure to block the
logback-core class from polymorphic deserialization. By sending a
specially-crafted JSON message, an attacker could exploit this vulnerability to
execute arbitrary code on the system.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
162849 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2020-24750
DESCRIPTION: FasterXML jackson-databind could allow a remote attacker to
execute arbitrary code on the system, caused by an unsafe deserialization
between gadgets and typing, related to
com.pastdev.httpcomponents.configuration.JndiConfiguration. By sending
specially-crafted input, an attacker could exploit this vulnerability to
execute arbitrary code on the system.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
188470 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2020-36188
DESCRIPTION: FasterXML jackson-databind could allow a remote attacker to
execute arbitrary code on the system, caused by an unsafe deserialization
between gadgets and typing, related to
com.newrelic.agent.deps.ch.qos.logback.core.db.JNDIConnectionSource. By sending
a specially-crafted input, an attacker could exploit this vulnerability to
execute arbitrary code on the system.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
194383 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2018-19362
DESCRIPTION: An unspecified error with failure to block the jboss-common-core
class from polymorphic deserialization in FasterXML jackson-databind has an
unknown impact and attack vector.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
155093 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
CVEID: CVE-2020-35490
DESCRIPTION: FasterXML jackson-databind could allow a remote attacker to
execute arbitrary code on the system, caused by an unsafe deserialization
between gadgets and typing, related to
org.apache.commons.dbcp2.datasources.PerUserPoolDataSource. By sending a
specially-crafted input, an attacker could exploit this vulnerability to
execute arbitrary code on the system.
CVSS Base score: 8.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
193391 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2020-36179
DESCRIPTION: FasterXML jackson-databind could allow a remote attacker to
execute arbitrary code on the system, caused by an unsafe deserialization
between gadgets and typing, related to
oadd.org.apache.commons.dbcp.cpdsadapter.DriverAdapterCPDS. By sending a
specially-crafted input, an attacker could exploit this vulnerability to
execute arbitrary code on the system.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
194374 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2020-9546
DESCRIPTION: FasterXML jackson-databind could allow a remote attacker to
execute arbitrary code on the system, caused by the mishandling of interaction
between serialization gadgets and typing in
org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig (aka shaded
hikari-config). By sending a specially-crafted request, an attacker could
exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
177102 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2019-20330
DESCRIPTION: A lacking of certain net.sf.ehcache blocking in FasterXML
jackson-databind has an unknown impact and attack vector.
CVSS Base score: 7.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
173897 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
CVEID: CVE-2020-10672
DESCRIPTION: FasterXML jackson-databind could allow a remote attacker to
execute arbitrary code on the system, caused by an unsafe deserialization in
org.apache.aries.transaction.jms.internal.XaPooledConnectionFactory (aka
aries.transaction.jms). By sending specially-crafted input, an attacker could
exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
178104 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2020-10683
DESCRIPTION: dom4j could allow a remote authenticated attacker to obtain
sensitive information, caused by an XML external entity (XXE) error when
processing XML data. By sending specially crafted XML data, a remote attacker
could exploit this vulnerability to obtain sensitive information.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
181356 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
CVEID: CVE-2021-37533
DESCRIPTION: Apache Commons Net could allow a remote attacker to obtain
sensitive information, caused by an issue with the FTP client trusts the host
from PASV response by default. By persuading a victim to connect to
specially-crafted server, an attacker could exploit this vulnerability to
obtain information about services running on the private network, and use this
information to launch further attacks against the affected system.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
241253 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)
CVEID: CVE-2022-30187
DESCRIPTION: Microsoft Azure Storage Library could allow a local
authenticated attacker to bypass security restrictions. An attacker could
exploit this vulnerability to bypass security features and cause an impact on
confidentiality.
CVSS Base score: 4.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
229924 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N)
CVEID: CVE-2022-31159
DESCRIPTION: AWS SDK for Java could allow a remote authenticated attacker to
traverse directories on the system, caused by a flaw in the downloadDirectory
method in the AWS S3 TransferManager component. An attacker could send a
specially-crafted URL request containing "dot dot" sequences (/../) to write
arbitrary files on the system.
CVSS Base score: 7.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
231331 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:L)
CVEID: CVE-2022-41881
DESCRIPTION: Netty is vulnerable to a denial of service, caused by a
StackOverflowError in HAProxyMessageDecoder. By sending a specially-crafted
message, a remote attacker could exploit this vulnerability to cause an
infinite recursion, and results in a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
242087 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2022-41915
DESCRIPTION: Netty is vulnerable to HTTP response splitting attacks, caused
by a flaw when calling DefaultHttpHeaders.set with an iterator of values. A
remote attacker could exploit this vulnerability to inject arbitrary HTTP/1.1
response header in some form and cause the server to return a split response,
once the URL is clicked. This would allow the attacker to perform further
attacks, such as Web cache poisoning or cross-site scripting, and possibly
obtain sensitive information.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
242595 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)
CVEID: CVE-2022-24823
DESCRIPTION: Netty could allow a local authenticated attacker to obtain
sensitive information, caused by a flaw when temporary storing uploads on the
disk is enabled. By gaining access to the local system temporary directory, an
attacker could exploit this vulnerability to obtain sensitive information, and
use this information to launch further attacks against the affected system.
CVSS Base score: 5.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
225922 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)
CVEID: CVE-2022-40154
DESCRIPTION: XStream is vulnerable to a denial of service, caused by a
stack-based buffer overflow. By sending a specially-crafted XML data, a remote
authenticated attacker could exploit this vulnerability to causes the parser to
crash, and results in a denial of service condition.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
236357 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2022-40152
DESCRIPTION: XStream is vulnerable to a denial of service, caused by a
stack-based buffer overflow. By sending a specially-crafted XML data, a remote
authenticated attacker could exploit this vulnerability to causes the parser to
crash, and results in a denial of service condition.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
236355 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2022-40156
DESCRIPTION: XStream is vulnerable to a denial of service, caused by a
stack-based buffer overflow. By sending a specially-crafted XML data, a remote
authenticated attacker could exploit this vulnerability to causes the parser to
crash, and results in a denial of service condition.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
236359 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2022-40155
DESCRIPTION: XStream is vulnerable to a denial of service, caused by a
stack-based buffer overflow. By sending a specially-crafted XML data, a remote
authenticated attacker could exploit this vulnerability to causes the parser to
crash, and results in a denial of service condition.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
236358 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2022-40153
DESCRIPTION: XStream is vulnerable to a denial of service, caused by a
stack-based buffer overflow. By sending a specially-crafted XML data, a remote
authenticated attacker could exploit this vulnerability to causes the parser to
crash, and results in a denial of service condition.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
236356 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2022-45685
DESCRIPTION: Jettison is vulnerable to a denial of service, caused by a
stack-based buffer overflow. By sending an overly long string using JSON data,
a remote attacker could exploit this vulnerability to cause a denial of
service.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
242596 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2022-45693
DESCRIPTION: Jettison is vulnerable to a denial of service, caused by a
stack-based buffer overflow. By sending a specially-crafted request using the
map parameter, a remote attacker could exploit this vulnerability to cause a
denial of service.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
242274 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID: CVE-2021-22569
DESCRIPTION: Google Protocol Buffer (protobuf-java) is vulnerable to a denial
of service, caused by an issue with allow interleaving of
com.google.protobuf.UnknownFieldSet fields. By persuading a victim to open a
specially-crafted content, a remote attacker could exploit this vulnerability
to cause a timeout in ProtobufFuzzer function, and results in a denial of
service condition.
CVSS Base score: 3.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
216851 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)
CVEID: CVE-2022-3509
DESCRIPTION: protobuf-java core and lite are vulnerable to a denial of
service, caused by a flaw in the parsing procedure for textformat data. By
sending non-repeated embedded messages with repeated or unknown fields, a
remote authenticated attacker could exploit this vulnerability to cause long
garbage collection pauses.
CVSS Base score: 5.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
239915 for the current score.
CVSS Vector: (CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2022-3171
DESCRIPTION: protobuf-java core and lite are vulnerable to a denial of
service, caused by a flaw in the parsing procedure for binary and text format
data. By sending non-repeated embedded messages with repeated or unknown
fields, a remote authenticated attacker could exploit this vulnerability to
cause long garbage collection pauses.
CVSS Base score: 5.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
238394 for the current score.
CVSS Vector: (CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
IBM X-Force ID: 177835
DESCRIPTION: Apache Commons Codec could allow a remote attacker to obtain
sensitive information, caused by the improper validation of input. An attacker
could exploit this vulnerability using a method call to obtain sensitive
information.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
177835 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
Affected Products and Versions
+------------------------------+-------------+
|Affected Product(s) |Version(s) |
+------------------------------+-------------+
|IBM Disconnected Log Collector|v1.0 - v1.8.2|
+------------------------------+-------------+
Remediation/Fixes
IBM encourages customers to update their systems promptly.
Follow this link to update to IBM Disconnected Log Collector v1.8.3
Workarounds and Mitigations
None
Related Information
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
Acknowledgement
Change History
29 Sep 2023: Initial Publication
Disclaimer
According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF
ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to
address potential vulnerabilities, IBM periodically updates the record of
components contained in our product offerings. As part of that effort, if IBM
identifies previously unidentified packages in a product/service inventory, we
address relevant vulnerabilities regardless of CVE date. Inclusion of an older
CVEID does not demonstrate that the referenced product has been used by IBM
since that date, nor that IBM was aware of a vulnerability as of that date. We
are making clients aware of relevant vulnerabilities as we become aware of
them. "Affected Products and Versions" referenced in IBM Security Bulletins are
intended to be only products and versions that are supported by IBM and have
not passed their end-of-support or warranty date. Thus, failure to reference
unsupported or extended-support products and versions in this Security Bulletin
does not constitute a determination by IBM that they are unaffected by the
vulnerability. Reference to one or more unsupported versions in this Security
Bulletin shall not create an obligation for IBM to provide fixes for any
unsupported or extended-support products or versions.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBZR+HAskNZI30y1K9AQjm0RAAqPYc/Xyo7jkg/DYgxUpzfUENlTSZp+/U
wvBjQ4kuOinvwUvOxDHuSFioxrGlpFtKN4pxn+hijPL2DEVdRswKaaS77rWxqMlp
B/hTuiHSoyGWeVzX6SL2gtHsEh2zGVFWSto6Z9vz/gURLbuFsstICdlPLHe7VHLx
Zp383XhPzfSpEWv9TM19E29MLlzAe/6jWkaVCWL+Ma4e2O/NFYOuOTuOuxrzdjAW
T6raxGIirZgTTnUIolEwOGnq8EcOWkYXrtSh0dBJ9UE33xBJV+jQnE5naXfZKbq4
4ADXjfT1gb3hvwiwanW1x1PKklVcxVntGdIuDSWuOfyGxZURf3SZf3HLYkReSy+7
KS2tCQ1yXt27Wsr3I6AuYEA3CjLfugbrGgA6MXn5u+emUWbv//dqe5enb2O5dlgV
L1gWIih+taToR2C769VwRaMI1lv880Fgac+Cp02gSUmpcSgtiMYmdEKrbXOOoKyx
TIasavV51iVx2bbUMLyCgsKqLw8ZoYxGJwGjkc360JBhkG4sz5qlRceUda3tK0F1
VDzpfcsUhOyl4EB8mYDoGuKotEHpIE3x4XW5CzhZ2YsvDX9/HBQmdmuxUvfgYXIg
eKqiFza0Nh0oNmfsMx9a+zpPvnrbRd757IscHGxFE5YbeCispgCoKRDMovtoH69c
ngfQ0TQ+f1o=
=qsgc
-----END PGP SIGNATURE-----