Skip to content

Instantly share code, notes, and snippets.

@kerin

kerin/gist:1b9cb8a611d23f48d8e15b34b6be19b4

Created December 14, 2021 11:54
Show Gist options
  • Save kerin/1b9cb8a611d23f48d8e15b34b6be19b4 to your computer and use it in GitHub Desktop.
Save kerin/1b9cb8a611d23f48d8e15b34b6be19b4 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
gistfile1.txt
2021-12-14T11:54:00.037Z INFO Detected OS: debian
2021-12-14T11:54:00.037Z INFO Detecting Debian vulnerabilities...
2021-12-14T11:54:00.053Z INFO Number of language-specific files: 1
2021-12-14T11:54:00.053Z INFO Detecting jar vulnerabilities...
2021-12-14T11:54:00.053Z WARN maven constraint error ([10.5-alpha0,10.5.3.0_1]): failed to new comparer: 2 errors occurred:
* improper constraint: [10.5-alpha0,10.5.3.0_1]
* improper requirements: []
solr:6.6.6 (debian 11.1)
========================
Total: 4 (CRITICAL: 4)
+----------+------------------+----------+-------------------+---------------+---------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+----------+------------------+----------+-------------------+---------------+---------------------------------------+
| curl | CVE-2021-22945 | CRITICAL | 7.74.0-1.3 | | curl: use-after-free and |
| | | | | | double-free in MQTT sending |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-22945 |
+----------+------------------+ +-------------------+---------------+---------------------------------------+
| libc-bin | CVE-2021-33574 | | 2.31-13+deb11u2 | | glibc: mq_notify does |
| | | | | | not handle separately |
| | | | | | allocated thread attributes |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-33574 |
+----------+ + + +---------------+ +
| libc6 | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
+----------+------------------+ +-------------------+---------------+---------------------------------------+
| libcurl4 | CVE-2021-22945 | | 7.74.0-1.3 | | curl: use-after-free and |
| | | | | | double-free in MQTT sending |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-22945 |
+----------+------------------+----------+-------------------+---------------+---------------------------------------+
Java (jar)
==========
Total: 51 (CRITICAL: 51)
+---------------------------------------------+------------------+----------+-------------------+--------------------------------+-----------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+---------------------------------------------+------------------+----------+-------------------+--------------------------------+-----------------------------------------+
| com.fasterxml.jackson.core:jackson-databind | CVE-2017-15095 | CRITICAL | 2.4.0 | 2.7.9.2, 2.8.10, 2.9.1 | jackson-databind: Unsafe |
| | | | | | deserialization due to |
| | | | | | incomplete black list (incomplete |
| | | | | | fix for CVE-2017-7525)... |
| | | | | | -->avd.aquasec.com/nvd/cve-2017-15095 |
+ +------------------+ + +--------------------------------+-----------------------------------------+
| | CVE-2017-17485 | | | 2.8.11, 2.9.4 | jackson-databind: Unsafe |
| | | | | | deserialization due to |
| | | | | | incomplete black list (incomplete |
| | | | | | fix for CVE-2017-15095)... |
| | | | | | -->avd.aquasec.com/nvd/cve-2017-17485 |
+ +------------------+ + +--------------------------------+-----------------------------------------+
| | CVE-2017-7525 | | | 2.7.9.1, 2.6.7.1, 2.8.9 | jackson-databind: Deserialization |
| | | | | | vulnerability via readValue |
| | | | | | method of ObjectMapper |
| | | | | | -->avd.aquasec.com/nvd/cve-2017-7525 |
+ +------------------+ + +--------------------------------+-----------------------------------------+
| | CVE-2018-11307 | | | 2.7.9.4, 2.8.11.2, 2.9.6 | jackson-databind: Potential |
| | | | | | information exfiltration with |
| | | | | | default typing, serialization |
| | | | | | gadget from MyBatis |
| | | | | | -->avd.aquasec.com/nvd/cve-2018-11307 |
+ +------------------+ + +--------------------------------+-----------------------------------------+
| | CVE-2018-14718 | | | 2.6.7.2, 2.9.7 | jackson-databind: arbitrary code |
| | | | | | execution in slf4j-ext class |
| | | | | | -->avd.aquasec.com/nvd/cve-2018-14718 |
+ +------------------+ + +--------------------------------+-----------------------------------------+
| | CVE-2018-14719 | | | 2.7.9.5, 2.8.11.3, 2.9.7 | jackson-databind: arbitrary |
| | | | | | code execution in blaze-ds-opt |
| | | | | | and blaze-ds-core classes |
| | | | | | -->avd.aquasec.com/nvd/cve-2018-14719 |
+ +------------------+ + +--------------------------------+-----------------------------------------+
| | CVE-2018-7489 | | | 2.7.9.3, 2.8.11.1, 2.9.5 | jackson-databind: incomplete fix |
| | | | | | for CVE-2017-7525 permits unsafe |
| | | | | | serialization via c3p0 libraries |
| | | | | | -->avd.aquasec.com/nvd/cve-2018-7489 |
+ +------------------+ + +--------------------------------+-----------------------------------------+
| | CVE-2019-14379 | | | 2.9.9.2 | jackson-databind: default |
| | | | | | typing mishandling leading |
| | | | | | to remote code execution |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-14379 |
+ +------------------+ + +--------------------------------+-----------------------------------------+
| | CVE-2019-14540 | | | 2.9.10 | jackson-databind: |
| | | | | | Serialization gadgets in |
| | | | | | com.zaxxer.hikari.HikariConfig |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-14540 |
+ +------------------+ + +--------------------------------+-----------------------------------------+
| | CVE-2019-14892 | | | 2.9.10, 2.8.11.5, 2.6.7.3 | jackson-databind: Serialization |
| | | | | | gadgets in classes of the |
| | | | | | commons-configuration package |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-14892 |
+ +------------------+ + +--------------------------------+-----------------------------------------+
| | CVE-2019-14893 | | | 2.8.11.5, 2.9.10 | jackson-databind: |
| | | | | | Serialization gadgets in |
| | | | | | classes of the xalan package |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-14893 |
+ +------------------+ + +--------------------------------+-----------------------------------------+
| | CVE-2019-16335 | | | 2.9.10 | jackson-databind: |
| | | | | | Serialization gadgets in |
| | | | | | com.zaxxer.hikari.HikariDataSource |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-16335 |
+ +------------------+ + +--------------------------------+-----------------------------------------+
| | CVE-2019-16942 | | | 2.9.10.1 | jackson-databind: |
| | | | | | Serialization gadgets in |
| | | | | | org.apache.commons.dbcp.datasources.* |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-16942 |
+ +------------------+ + + +-----------------------------------------+
| | CVE-2019-16943 | | | | jackson-databind: |
| | | | | | Serialization gadgets in |
| | | | | | com.p6spy.engine.spy.P6DataSource |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-16943 |
+ +------------------+ + +--------------------------------+-----------------------------------------+
| | CVE-2019-17267 | | | 2.9.10 | jackson-databind: Serialization |
| | | | | | gadgets in classes of |
| | | | | | the ehcache package |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-17267 |
+ +------------------+ + +--------------------------------+-----------------------------------------+
| | CVE-2019-17531 | | | 2.9.10.1 | jackson-databind: |
| | | | | | Serialization gadgets in |
| | | | | | org.apache.log4j.receivers.db.* |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-17531 |
+ +------------------+ + +--------------------------------+-----------------------------------------+
| | CVE-2019-20330 | | | 2.9.10.2, 2.8.11.5 | jackson-databind: lacks |
| | | | | | certain net.sf.ehcache blocking |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-20330 |
+ +------------------+ + +--------------------------------+-----------------------------------------+
| | CVE-2020-8840 | | | 2.9.10.3, 2.8.11.5 | jackson-databind: Lacks certain |
| | | | | | xbean-reflect/JNDI blocking |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-8840 |
+ +------------------+ + +--------------------------------+-----------------------------------------+
| | CVE-2020-9547 | | | 2.9.10.4 | jackson-databind: Serialization |
| | | | | | gadgets in ibatis-sqlmap |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-9547 |
+ +------------------+ + + +-----------------------------------------+
| | CVE-2020-9548 | | | | jackson-databind: Serialization |
| | | | | | gadgets in anteros-core |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-9548 |
+ +------------------+ +-------------------+--------------------------------+-----------------------------------------+
| | CVE-2017-15095 | | 2.5.4 | 2.7.9.2, 2.8.10, 2.9.1 | jackson-databind: Unsafe |
| | | | | | deserialization due to |
| | | | | | incomplete black list (incomplete |
| | | | | | fix for CVE-2017-7525)... |
| | | | | | -->avd.aquasec.com/nvd/cve-2017-15095 |
+ +------------------+ + +--------------------------------+-----------------------------------------+
| | CVE-2017-17485 | | | 2.8.11, 2.9.4 | jackson-databind: Unsafe |
| | | | | | deserialization due to |
| | | | | | incomplete black list (incomplete |
| | | | | | fix for CVE-2017-15095)... |
| | | | | | -->avd.aquasec.com/nvd/cve-2017-17485 |
+ +------------------+ + +--------------------------------+-----------------------------------------+
| | CVE-2017-7525 | | | 2.7.9.1, 2.6.7.1, 2.8.9 | jackson-databind: Deserialization |
| | | | | | vulnerability via readValue |
| | | | | | method of ObjectMapper |
| | | | | | -->avd.aquasec.com/nvd/cve-2017-7525 |
+ +------------------+ + +--------------------------------+-----------------------------------------+
| | CVE-2018-11307 | | | 2.7.9.4, 2.8.11.2, 2.9.6 | jackson-databind: Potential |
| | | | | | information exfiltration with |
| | | | | | default typing, serialization |
| | | | | | gadget from MyBatis |
| | | | | | -->avd.aquasec.com/nvd/cve-2018-11307 |
+ +------------------+ + +--------------------------------+-----------------------------------------+
| | CVE-2018-14718 | | | 2.6.7.2, 2.9.7 | jackson-databind: arbitrary code |
| | | | | | execution in slf4j-ext class |
| | | | | | -->avd.aquasec.com/nvd/cve-2018-14718 |
+ +------------------+ + +--------------------------------+-----------------------------------------+
| | CVE-2018-14719 | | | 2.7.9.5, 2.8.11.3, 2.9.7 | jackson-databind: arbitrary |
| | | | | | code execution in blaze-ds-opt |
| | | | | | and blaze-ds-core classes |
| | | | | | -->avd.aquasec.com/nvd/cve-2018-14719 |
+ +------------------+ + +--------------------------------+-----------------------------------------+
| | CVE-2018-7489 | | | 2.7.9.3, 2.8.11.1, 2.9.5 | jackson-databind: incomplete fix |
| | | | | | for CVE-2017-7525 permits unsafe |
| | | | | | serialization via c3p0 libraries |
| | | | | | -->avd.aquasec.com/nvd/cve-2018-7489 |
+ +------------------+ + +--------------------------------+-----------------------------------------+
| | CVE-2019-14379 | | | 2.9.9.2 | jackson-databind: default |
| | | | | | typing mishandling leading |
| | | | | | to remote code execution |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-14379 |
+ +------------------+ + +--------------------------------+-----------------------------------------+
| | CVE-2019-14540 | | | 2.9.10 | jackson-databind: |
| | | | | | Serialization gadgets in |
| | | | | | com.zaxxer.hikari.HikariConfig |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-14540 |
+ +------------------+ + +--------------------------------+-----------------------------------------+
| | CVE-2019-14892 | | | 2.9.10, 2.8.11.5, 2.6.7.3 | jackson-databind: Serialization |
| | | | | | gadgets in classes of the |
| | | | | | commons-configuration package |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-14892 |
+ +------------------+ + +--------------------------------+-----------------------------------------+
| | CVE-2019-14893 | | | 2.8.11.5, 2.9.10 | jackson-databind: |
| | | | | | Serialization gadgets in |
| | | | | | classes of the xalan package |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-14893 |
+ +------------------+ + +--------------------------------+-----------------------------------------+
| | CVE-2019-16335 | | | 2.9.10 | jackson-databind: |
| | | | | | Serialization gadgets in |
| | | | | | com.zaxxer.hikari.HikariDataSource |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-16335 |
+ +------------------+ + +--------------------------------+-----------------------------------------+
| | CVE-2019-16942 | | | 2.9.10.1 | jackson-databind: |
| | | | | | Serialization gadgets in |
| | | | | | org.apache.commons.dbcp.datasources.* |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-16942 |
+ +------------------+ + + +-----------------------------------------+
| | CVE-2019-16943 | | | | jackson-databind: |
| | | | | | Serialization gadgets in |
| | | | | | com.p6spy.engine.spy.P6DataSource |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-16943 |
+ +------------------+ + +--------------------------------+-----------------------------------------+
| | CVE-2019-17267 | | | 2.9.10 | jackson-databind: Serialization |
| | | | | | gadgets in classes of |
| | | | | | the ehcache package |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-17267 |
+ +------------------+ + +--------------------------------+-----------------------------------------+
| | CVE-2019-17531 | | | 2.9.10.1 | jackson-databind: |
| | | | | | Serialization gadgets in |
| | | | | | org.apache.log4j.receivers.db.* |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-17531 |
+ +------------------+ + +--------------------------------+-----------------------------------------+
| | CVE-2019-20330 | | | 2.9.10.2, 2.8.11.5 | jackson-databind: lacks |
| | | | | | certain net.sf.ehcache blocking |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-20330 |
+ +------------------+ + +--------------------------------+-----------------------------------------+
| | CVE-2020-8840 | | | 2.9.10.3, 2.8.11.5 | jackson-databind: Lacks certain |
| | | | | | xbean-reflect/JNDI blocking |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-8840 |
+ +------------------+ + +--------------------------------+-----------------------------------------+
| | CVE-2020-9547 | | | 2.9.10.4 | jackson-databind: Serialization |
| | | | | | gadgets in ibatis-sqlmap |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-9547 |
+ +------------------+ + + +-----------------------------------------+
| | CVE-2020-9548 | | | | jackson-databind: Serialization |
| | | | | | gadgets in anteros-core |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-9548 |
+---------------------------------------------+------------------+ +-------------------+--------------------------------+-----------------------------------------+
| commons-fileupload:commons-fileupload | CVE-2016-1000031 | | 1.3.2 | 1.3.3 | Apache Commons FileUpload: |
| | | | | | DiskFileItem file manipulation |
| | | | | | -->avd.aquasec.com/nvd/cve-2016-1000031 |
+---------------------------------------------+------------------+ +-------------------+--------------------------------+-----------------------------------------+
| log4j:log4j | CVE-2019-17571 | | 1.2.17 | 2.0-alpha1 | log4j: deserialization of |
| | | | | | untrusted data in SocketServer |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-17571 |
+---------------------------------------------+------------------+ +-------------------+--------------------------------+-----------------------------------------+
| org.apache.derby:derby | CVE-2015-1832 | | 10.9.1.0 | 10.12.1.1 | Apache Derby: XXE attack possible by |
| | | | | | using XmlVTI and the XML datatype... |
| | | | | | -->avd.aquasec.com/nvd/cve-2015-1832 |
+---------------------------------------------+------------------+ +-------------------+--------------------------------+-----------------------------------------+
| org.apache.pdfbox:pdfbox | CVE-2019-0228 | | 2.0.6 | 2.0.15 | pdfbox: XML External Entity |
| | | | | | (XXE) attacks via a crafted XFDF |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-0228 |
+---------------------------------------------+------------------+ +-------------------+--------------------------------+-----------------------------------------+
| org.apache.solr:solr-core | CVE-2020-13957 | | 6.6.6 | 8.6.3 | solr: The checks added to |
| | | | | | unauthenticated configset |
| | | | | | uploads can be circumvented |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-13957 |
+ +------------------+ + +--------------------------------+-----------------------------------------+
| | CVE-2021-27905 | | | 8.8.2 | solr: SSRF vulnerability |
| | | | | | with the Replication handler |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-27905 |
+ +------------------+ + + +-----------------------------------------+
| | CVE-2021-29943 | | | | solr: unprivileged users may |
| | | | | | be able to perform unauthorized |
| | | | | | read/write to collections... |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-29943 |
+---------------------------------------------+------------------+ +-------------------+--------------------------------+-----------------------------------------+
| org.apache.xmlbeans:xmlbeans | CVE-2021-23926 | | 2.6.0 | 3.0.0 | xmlbeans: allowed malicious |
| | | | | | XML input may lead to XML |
| | | | | | Entity Expansion attack... |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-23926 |
+---------------------------------------------+------------------+ +-------------------+--------------------------------+-----------------------------------------+
| org.bouncycastle:bcprov-jdk15 | CVE-2018-1000613 | | 1.45 | 1.60 | bouncycastle: lack of class |
| | | | | | checking in deserialization of |
| | | | | | XMSS/XMSS^MT private keys with... |
| | | | | | -->avd.aquasec.com/nvd/cve-2018-1000613 |
+---------------------------------------------+------------------+ +-------------------+--------------------------------+-----------------------------------------+
| org.eclipse.jetty:jetty-server | CVE-2017-7657 | | 9.3.14.v20161028 | 9.3.24.v20180605, | jetty: HTTP request smuggling |
| | | | | 9.2.25.v20180606 | -->avd.aquasec.com/nvd/cve-2017-7657 |
+ +------------------+ + +--------------------------------+-----------------------------------------+
| | CVE-2017-7658 | | | 9.2.26.v20180806, | jetty: Incorrect header handling |
| | | | | 9.3.24.v20180605, | -->avd.aquasec.com/nvd/cve-2017-7658 |
| | | | | 9.4.11.v20180605 | |
+---------------------------------------------+------------------+----------+-------------------+--------------------------------+-----------------------------------------+
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment