aws/aws-secretsmanager-jdbc

vulnerabilities flagged due to jackson-databind

mailtoraja18 opened this issue · 3 comments

com.fasterxml.jackson.core:jackson-databind:2.8.11.1:jar - please upgrade to a compatible version.

      Type:            VULNERABILITY
      Name:            CVE-2018-14719
      CVSS Score v2:   7.5
      Severity:        high
      Description:     FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the blaze-ds-opt and blaze-ds-core classes from polymorphic deserialization.

      Type:            VULNERABILITY
      Name:            CVE-2018-14720
      CVSS Score v2:   7.5
      Severity:        high
      Description:     FasterXML jackson-databind 2.x before 2.9.7 might allow attackers to conduct external XML entity (XXE) attacks by leveraging failure to block unspecified JDK classes from polymorphic deserialization.

      Type:            VULNERABILITY
      Name:            CVE-2018-14721
      CVSS Score v2:   7.5
      Severity:        high
      Description:     FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct server-side request forgery (SSRF) attacks by leveraging failure to block the axis2-jaxws class from polymorphic deserialization.

      Type:            VULNERABILITY
      Name:            CVE-2018-19360
      CVSS Score v2:   7.5
      Severity:        high
      Description:     FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the axis2-transport-jms class from polymorphic deserialization.

Thanks

The upgrade to 2.9.10.3 does not help.

Dependency: MAVEN - com.fasterxml.jackson.core:jackson-databind:2.9.10.3:jar
RejectReasons (3)
RejectReason: 001775da-5458-4655-995b-74a3d14f8a0b
Type: VULNERABILITY
CVSS Score v3: 9.8
Severity: severe
Description Link: https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-559094
RejectReason: 5520cb0b-1131-4a29-b605-bdfc140489f0
Type: VULNERABILITY
CVSS Score v3: 8.1
Severity: high
Description Link: https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-560766
RejectReason: 7ca799a9-afae-4080-b55f-5227ad2db815
Type: VULNERABILITY
CVSS Score v3: 8.1
Severity: high
Dependency: MAVEN - com.fasterxml.jackson.core:jackson-annotations:2.9.10:jar
Dependency: MAVEN - com.fasterxml.jackson.core:jackson-core:2.9.10:jar

Dependencies conflict - secretsmanager-caching needs to be updated as well ?
com.amazonaws.secretsmanager:aws-secretsmanager-jdbc:1.0.5
-->com.amazonaws.secretsmanager:aws-secretsmanager-caching-java:1.0.1
------>com.amazonaws:aws-java-sdk-secretsmanager:1.11.409 (conflict with 1.11.418 below)
com.amazonaws:aws-java-sdk-secretsmanager:1.11.418
com.amazonaws:aws-java-sdk-core:1.11.418
com.amazonaws:jmespath-java:1.11.418

Addressed in commit: 78f82b2. Closing out this Issue in favor of that commit.