Created
December 14, 2021 11:54
-
-
Save kerin/1b9cb8a611d23f48d8e15b34b6be19b4 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
2021-12-14T11:54:00.037Z [34mINFO[0m Detected OS: debian | |
2021-12-14T11:54:00.037Z [34mINFO[0m Detecting Debian vulnerabilities... | |
2021-12-14T11:54:00.053Z [34mINFO[0m Number of language-specific files: 1 | |
2021-12-14T11:54:00.053Z [34mINFO[0m Detecting jar vulnerabilities... | |
2021-12-14T11:54:00.053Z [33mWARN[0m maven constraint error ([10.5-alpha0,10.5.3.0_1]): failed to new comparer: 2 errors occurred: | |
* improper constraint: [10.5-alpha0,10.5.3.0_1] | |
* improper requirements: [] | |
solr:6.6.6 (debian 11.1) | |
======================== | |
Total: 4 (CRITICAL: 4) | |
+----------+------------------+----------+-------------------+---------------+---------------------------------------+ | |
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE | | |
+----------+------------------+----------+-------------------+---------------+---------------------------------------+ | |
| curl | CVE-2021-22945 | CRITICAL | 7.74.0-1.3 | | curl: use-after-free and | | |
| | | | | | double-free in MQTT sending | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-22945 | | |
+----------+------------------+ +-------------------+---------------+---------------------------------------+ | |
| libc-bin | CVE-2021-33574 | | 2.31-13+deb11u2 | | glibc: mq_notify does | | |
| | | | | | not handle separately | | |
| | | | | | allocated thread attributes | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-33574 | | |
+----------+ + + +---------------+ + | |
| libc6 | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
+----------+------------------+ +-------------------+---------------+---------------------------------------+ | |
| libcurl4 | CVE-2021-22945 | | 7.74.0-1.3 | | curl: use-after-free and | | |
| | | | | | double-free in MQTT sending | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-22945 | | |
+----------+------------------+----------+-------------------+---------------+---------------------------------------+ | |
Java (jar) | |
========== | |
Total: 51 (CRITICAL: 51) | |
+---------------------------------------------+------------------+----------+-------------------+--------------------------------+-----------------------------------------+ | |
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE | | |
+---------------------------------------------+------------------+----------+-------------------+--------------------------------+-----------------------------------------+ | |
| com.fasterxml.jackson.core:jackson-databind | CVE-2017-15095 | CRITICAL | 2.4.0 | 2.7.9.2, 2.8.10, 2.9.1 | jackson-databind: Unsafe | | |
| | | | | | deserialization due to | | |
| | | | | | incomplete black list (incomplete | | |
| | | | | | fix for CVE-2017-7525)... | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2017-15095 | | |
+ +------------------+ + +--------------------------------+-----------------------------------------+ | |
| | CVE-2017-17485 | | | 2.8.11, 2.9.4 | jackson-databind: Unsafe | | |
| | | | | | deserialization due to | | |
| | | | | | incomplete black list (incomplete | | |
| | | | | | fix for CVE-2017-15095)... | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2017-17485 | | |
+ +------------------+ + +--------------------------------+-----------------------------------------+ | |
| | CVE-2017-7525 | | | 2.7.9.1, 2.6.7.1, 2.8.9 | jackson-databind: Deserialization | | |
| | | | | | vulnerability via readValue | | |
| | | | | | method of ObjectMapper | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2017-7525 | | |
+ +------------------+ + +--------------------------------+-----------------------------------------+ | |
| | CVE-2018-11307 | | | 2.7.9.4, 2.8.11.2, 2.9.6 | jackson-databind: Potential | | |
| | | | | | information exfiltration with | | |
| | | | | | default typing, serialization | | |
| | | | | | gadget from MyBatis | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2018-11307 | | |
+ +------------------+ + +--------------------------------+-----------------------------------------+ | |
| | CVE-2018-14718 | | | 2.6.7.2, 2.9.7 | jackson-databind: arbitrary code | | |
| | | | | | execution in slf4j-ext class | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2018-14718 | | |
+ +------------------+ + +--------------------------------+-----------------------------------------+ | |
| | CVE-2018-14719 | | | 2.7.9.5, 2.8.11.3, 2.9.7 | jackson-databind: arbitrary | | |
| | | | | | code execution in blaze-ds-opt | | |
| | | | | | and blaze-ds-core classes | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2018-14719 | | |
+ +------------------+ + +--------------------------------+-----------------------------------------+ | |
| | CVE-2018-7489 | | | 2.7.9.3, 2.8.11.1, 2.9.5 | jackson-databind: incomplete fix | | |
| | | | | | for CVE-2017-7525 permits unsafe | | |
| | | | | | serialization via c3p0 libraries | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2018-7489 | | |
+ +------------------+ + +--------------------------------+-----------------------------------------+ | |
| | CVE-2019-14379 | | | 2.9.9.2 | jackson-databind: default | | |
| | | | | | typing mishandling leading | | |
| | | | | | to remote code execution | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-14379 | | |
+ +------------------+ + +--------------------------------+-----------------------------------------+ | |
| | CVE-2019-14540 | | | 2.9.10 | jackson-databind: | | |
| | | | | | Serialization gadgets in | | |
| | | | | | com.zaxxer.hikari.HikariConfig | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-14540 | | |
+ +------------------+ + +--------------------------------+-----------------------------------------+ | |
| | CVE-2019-14892 | | | 2.9.10, 2.8.11.5, 2.6.7.3 | jackson-databind: Serialization | | |
| | | | | | gadgets in classes of the | | |
| | | | | | commons-configuration package | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-14892 | | |
+ +------------------+ + +--------------------------------+-----------------------------------------+ | |
| | CVE-2019-14893 | | | 2.8.11.5, 2.9.10 | jackson-databind: | | |
| | | | | | Serialization gadgets in | | |
| | | | | | classes of the xalan package | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-14893 | | |
+ +------------------+ + +--------------------------------+-----------------------------------------+ | |
| | CVE-2019-16335 | | | 2.9.10 | jackson-databind: | | |
| | | | | | Serialization gadgets in | | |
| | | | | | com.zaxxer.hikari.HikariDataSource | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-16335 | | |
+ +------------------+ + +--------------------------------+-----------------------------------------+ | |
| | CVE-2019-16942 | | | 2.9.10.1 | jackson-databind: | | |
| | | | | | Serialization gadgets in | | |
| | | | | | org.apache.commons.dbcp.datasources.* | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-16942 | | |
+ +------------------+ + + +-----------------------------------------+ | |
| | CVE-2019-16943 | | | | jackson-databind: | | |
| | | | | | Serialization gadgets in | | |
| | | | | | com.p6spy.engine.spy.P6DataSource | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-16943 | | |
+ +------------------+ + +--------------------------------+-----------------------------------------+ | |
| | CVE-2019-17267 | | | 2.9.10 | jackson-databind: Serialization | | |
| | | | | | gadgets in classes of | | |
| | | | | | the ehcache package | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-17267 | | |
+ +------------------+ + +--------------------------------+-----------------------------------------+ | |
| | CVE-2019-17531 | | | 2.9.10.1 | jackson-databind: | | |
| | | | | | Serialization gadgets in | | |
| | | | | | org.apache.log4j.receivers.db.* | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-17531 | | |
+ +------------------+ + +--------------------------------+-----------------------------------------+ | |
| | CVE-2019-20330 | | | 2.9.10.2, 2.8.11.5 | jackson-databind: lacks | | |
| | | | | | certain net.sf.ehcache blocking | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-20330 | | |
+ +------------------+ + +--------------------------------+-----------------------------------------+ | |
| | CVE-2020-8840 | | | 2.9.10.3, 2.8.11.5 | jackson-databind: Lacks certain | | |
| | | | | | xbean-reflect/JNDI blocking | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-8840 | | |
+ +------------------+ + +--------------------------------+-----------------------------------------+ | |
| | CVE-2020-9547 | | | 2.9.10.4 | jackson-databind: Serialization | | |
| | | | | | gadgets in ibatis-sqlmap | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-9547 | | |
+ +------------------+ + + +-----------------------------------------+ | |
| | CVE-2020-9548 | | | | jackson-databind: Serialization | | |
| | | | | | gadgets in anteros-core | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-9548 | | |
+ +------------------+ +-------------------+--------------------------------+-----------------------------------------+ | |
| | CVE-2017-15095 | | 2.5.4 | 2.7.9.2, 2.8.10, 2.9.1 | jackson-databind: Unsafe | | |
| | | | | | deserialization due to | | |
| | | | | | incomplete black list (incomplete | | |
| | | | | | fix for CVE-2017-7525)... | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2017-15095 | | |
+ +------------------+ + +--------------------------------+-----------------------------------------+ | |
| | CVE-2017-17485 | | | 2.8.11, 2.9.4 | jackson-databind: Unsafe | | |
| | | | | | deserialization due to | | |
| | | | | | incomplete black list (incomplete | | |
| | | | | | fix for CVE-2017-15095)... | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2017-17485 | | |
+ +------------------+ + +--------------------------------+-----------------------------------------+ | |
| | CVE-2017-7525 | | | 2.7.9.1, 2.6.7.1, 2.8.9 | jackson-databind: Deserialization | | |
| | | | | | vulnerability via readValue | | |
| | | | | | method of ObjectMapper | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2017-7525 | | |
+ +------------------+ + +--------------------------------+-----------------------------------------+ | |
| | CVE-2018-11307 | | | 2.7.9.4, 2.8.11.2, 2.9.6 | jackson-databind: Potential | | |
| | | | | | information exfiltration with | | |
| | | | | | default typing, serialization | | |
| | | | | | gadget from MyBatis | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2018-11307 | | |
+ +------------------+ + +--------------------------------+-----------------------------------------+ | |
| | CVE-2018-14718 | | | 2.6.7.2, 2.9.7 | jackson-databind: arbitrary code | | |
| | | | | | execution in slf4j-ext class | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2018-14718 | | |
+ +------------------+ + +--------------------------------+-----------------------------------------+ | |
| | CVE-2018-14719 | | | 2.7.9.5, 2.8.11.3, 2.9.7 | jackson-databind: arbitrary | | |
| | | | | | code execution in blaze-ds-opt | | |
| | | | | | and blaze-ds-core classes | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2018-14719 | | |
+ +------------------+ + +--------------------------------+-----------------------------------------+ | |
| | CVE-2018-7489 | | | 2.7.9.3, 2.8.11.1, 2.9.5 | jackson-databind: incomplete fix | | |
| | | | | | for CVE-2017-7525 permits unsafe | | |
| | | | | | serialization via c3p0 libraries | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2018-7489 | | |
+ +------------------+ + +--------------------------------+-----------------------------------------+ | |
| | CVE-2019-14379 | | | 2.9.9.2 | jackson-databind: default | | |
| | | | | | typing mishandling leading | | |
| | | | | | to remote code execution | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-14379 | | |
+ +------------------+ + +--------------------------------+-----------------------------------------+ | |
| | CVE-2019-14540 | | | 2.9.10 | jackson-databind: | | |
| | | | | | Serialization gadgets in | | |
| | | | | | com.zaxxer.hikari.HikariConfig | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-14540 | | |
+ +------------------+ + +--------------------------------+-----------------------------------------+ | |
| | CVE-2019-14892 | | | 2.9.10, 2.8.11.5, 2.6.7.3 | jackson-databind: Serialization | | |
| | | | | | gadgets in classes of the | | |
| | | | | | commons-configuration package | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-14892 | | |
+ +------------------+ + +--------------------------------+-----------------------------------------+ | |
| | CVE-2019-14893 | | | 2.8.11.5, 2.9.10 | jackson-databind: | | |
| | | | | | Serialization gadgets in | | |
| | | | | | classes of the xalan package | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-14893 | | |
+ +------------------+ + +--------------------------------+-----------------------------------------+ | |
| | CVE-2019-16335 | | | 2.9.10 | jackson-databind: | | |
| | | | | | Serialization gadgets in | | |
| | | | | | com.zaxxer.hikari.HikariDataSource | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-16335 | | |
+ +------------------+ + +--------------------------------+-----------------------------------------+ | |
| | CVE-2019-16942 | | | 2.9.10.1 | jackson-databind: | | |
| | | | | | Serialization gadgets in | | |
| | | | | | org.apache.commons.dbcp.datasources.* | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-16942 | | |
+ +------------------+ + + +-----------------------------------------+ | |
| | CVE-2019-16943 | | | | jackson-databind: | | |
| | | | | | Serialization gadgets in | | |
| | | | | | com.p6spy.engine.spy.P6DataSource | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-16943 | | |
+ +------------------+ + +--------------------------------+-----------------------------------------+ | |
| | CVE-2019-17267 | | | 2.9.10 | jackson-databind: Serialization | | |
| | | | | | gadgets in classes of | | |
| | | | | | the ehcache package | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-17267 | | |
+ +------------------+ + +--------------------------------+-----------------------------------------+ | |
| | CVE-2019-17531 | | | 2.9.10.1 | jackson-databind: | | |
| | | | | | Serialization gadgets in | | |
| | | | | | org.apache.log4j.receivers.db.* | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-17531 | | |
+ +------------------+ + +--------------------------------+-----------------------------------------+ | |
| | CVE-2019-20330 | | | 2.9.10.2, 2.8.11.5 | jackson-databind: lacks | | |
| | | | | | certain net.sf.ehcache blocking | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-20330 | | |
+ +------------------+ + +--------------------------------+-----------------------------------------+ | |
| | CVE-2020-8840 | | | 2.9.10.3, 2.8.11.5 | jackson-databind: Lacks certain | | |
| | | | | | xbean-reflect/JNDI blocking | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-8840 | | |
+ +------------------+ + +--------------------------------+-----------------------------------------+ | |
| | CVE-2020-9547 | | | 2.9.10.4 | jackson-databind: Serialization | | |
| | | | | | gadgets in ibatis-sqlmap | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-9547 | | |
+ +------------------+ + + +-----------------------------------------+ | |
| | CVE-2020-9548 | | | | jackson-databind: Serialization | | |
| | | | | | gadgets in anteros-core | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-9548 | | |
+---------------------------------------------+------------------+ +-------------------+--------------------------------+-----------------------------------------+ | |
| commons-fileupload:commons-fileupload | CVE-2016-1000031 | | 1.3.2 | 1.3.3 | Apache Commons FileUpload: | | |
| | | | | | DiskFileItem file manipulation | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2016-1000031 | | |
+---------------------------------------------+------------------+ +-------------------+--------------------------------+-----------------------------------------+ | |
| log4j:log4j | CVE-2019-17571 | | 1.2.17 | 2.0-alpha1 | log4j: deserialization of | | |
| | | | | | untrusted data in SocketServer | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-17571 | | |
+---------------------------------------------+------------------+ +-------------------+--------------------------------+-----------------------------------------+ | |
| org.apache.derby:derby | CVE-2015-1832 | | 10.9.1.0 | 10.12.1.1 | Apache Derby: XXE attack possible by | | |
| | | | | | using XmlVTI and the XML datatype... | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2015-1832 | | |
+---------------------------------------------+------------------+ +-------------------+--------------------------------+-----------------------------------------+ | |
| org.apache.pdfbox:pdfbox | CVE-2019-0228 | | 2.0.6 | 2.0.15 | pdfbox: XML External Entity | | |
| | | | | | (XXE) attacks via a crafted XFDF | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-0228 | | |
+---------------------------------------------+------------------+ +-------------------+--------------------------------+-----------------------------------------+ | |
| org.apache.solr:solr-core | CVE-2020-13957 | | 6.6.6 | 8.6.3 | solr: The checks added to | | |
| | | | | | unauthenticated configset | | |
| | | | | | uploads can be circumvented | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-13957 | | |
+ +------------------+ + +--------------------------------+-----------------------------------------+ | |
| | CVE-2021-27905 | | | 8.8.2 | solr: SSRF vulnerability | | |
| | | | | | with the Replication handler | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-27905 | | |
+ +------------------+ + + +-----------------------------------------+ | |
| | CVE-2021-29943 | | | | solr: unprivileged users may | | |
| | | | | | be able to perform unauthorized | | |
| | | | | | read/write to collections... | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-29943 | | |
+---------------------------------------------+------------------+ +-------------------+--------------------------------+-----------------------------------------+ | |
| org.apache.xmlbeans:xmlbeans | CVE-2021-23926 | | 2.6.0 | 3.0.0 | xmlbeans: allowed malicious | | |
| | | | | | XML input may lead to XML | | |
| | | | | | Entity Expansion attack... | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-23926 | | |
+---------------------------------------------+------------------+ +-------------------+--------------------------------+-----------------------------------------+ | |
| org.bouncycastle:bcprov-jdk15 | CVE-2018-1000613 | | 1.45 | 1.60 | bouncycastle: lack of class | | |
| | | | | | checking in deserialization of | | |
| | | | | | XMSS/XMSS^MT private keys with... | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2018-1000613 | | |
+---------------------------------------------+------------------+ +-------------------+--------------------------------+-----------------------------------------+ | |
| org.eclipse.jetty:jetty-server | CVE-2017-7657 | | 9.3.14.v20161028 | 9.3.24.v20180605, | jetty: HTTP request smuggling | | |
| | | | | 9.2.25.v20180606 | -->avd.aquasec.com/nvd/cve-2017-7657 | | |
+ +------------------+ + +--------------------------------+-----------------------------------------+ | |
| | CVE-2017-7658 | | | 9.2.26.v20180806, | jetty: Incorrect header handling | | |
| | | | | 9.3.24.v20180605, | -->avd.aquasec.com/nvd/cve-2017-7658 | | |
| | | | | 9.4.11.v20180605 | | | |
+---------------------------------------------+------------------+----------+-------------------+--------------------------------+-----------------------------------------+ |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment