WS-2018-0125 (Medium) detected in multiple libraries - autoclosed

## WS-2018-0125 - Medium Severity Vulnerability
<details><summary><img src='https://whitesource-resources.whitesourcesoftware.com/vulnerability_details.png' width=19 height=20> Vulnerable Libraries - jackson-core-2.3.2.jar, jackson-core-2.7.4.jar, jackson-core-2.5.3.jar, jackson-core-2.3.3.jar, jackson-core-2.6.6.jar, jackson-core-2.7.1.jar, jackson-core-2.5.4.jar, jackson-core-2.6.4.jar, jackson-core-2.7.5.jar</summary>


<details><summary>jackson-core-2.3.2.jar</summary>

Core Jackson abstractions, basic JSON streaming API implementation
Path to dependency file: /dd-java-agent/instrumentation/dropwizard/dropwizard-views/dropwizard-views.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-core/2.3.2/559b70ac8a0d5cad611da4223137a920147201ba/jackson-core-2.3.2.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-core/2.3.2/559b70ac8a0d5cad611da4223137a920147201ba/jackson-core-2.3.2.jar


Dependency Hierarchy:
 - play-java-ws_2.11-2.3.10.jar (Root Library)
 - play_2.11-2.3.10.jar
 - :x: **jackson-core-2.3.2.jar** (Vulnerable Library)
</details>
<details><summary>jackson-core-2.7.4.jar</summary>

Core Jackson abstractions, basic JSON streaming API implementation
Library home page: <a href="https://github.com/FasterXML/jackson-core">https://github.com/FasterXML/jackson-core</a>
Path to dependency file: /dd-java-agent/instrumentation/vertx-web-3.4/vertx-web-3.4.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-core/2.7.4/b8f38a249116b66d804a5ca2b14a3459b7913a94/jackson-core-2.7.4.jar


Dependency Hierarchy:
 - vertx-web-3.4.0.jar (Root Library)
 - vertx-core-3.4.0.jar
 - :x: **jackson-core-2.7.4.jar** (Vulnerable Library)
</details>
<details><summary>jackson-core-2.5.3.jar</summary>

Core Jackson abstractions, basic JSON streaming API implementation
Library home page: <a href="https://github.com/FasterXML/jackson">https://github.com/FasterXML/jackson</a>
Path to dependency file: /dd-java-agent/instrumentation/aws-java-sdk-1.11.0/aws-java-sdk-1.11.0.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-core/2.5.3/a8b8a6dfc8a17890e4c7ff8aed810763d265b68b/jackson-core-2.5.3.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-core/2.5.3/a8b8a6dfc8a17890e4c7ff8aed810763d265b68b/jackson-core-2.5.3.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-core/2.5.3/a8b8a6dfc8a17890e4c7ff8aed810763d265b68b/jackson-core-2.5.3.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-core/2.5.3/a8b8a6dfc8a17890e4c7ff8aed810763d265b68b/jackson-core-2.5.3.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-core/2.5.3/a8b8a6dfc8a17890e4c7ff8aed810763d265b68b/jackson-core-2.5.3.jar


Dependency Hierarchy:
 - aws-java-sdk-sqs-1.11.0.jar (Root Library)
 - aws-java-sdk-core-1.11.0.jar
 - jackson-databind-2.5.3.jar
 - :x: **jackson-core-2.5.3.jar** (Vulnerable Library)
</details>
<details><summary>jackson-core-2.3.3.jar</summary>

Core Jackson abstractions, basic JSON streaming API implementation
Path to dependency file: /dd-java-agent/instrumentation/jax-rs-annotations-1/jax-rs-annotations-1.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-core/2.3.3/7d8c5d79cc99995e21e6f955857312d8409f02a1/jackson-core-2.3.3.jar


Dependency Hierarchy:
 - dropwizard-testing-0.7.1.jar (Root Library)
 - dropwizard-core-0.7.1.jar
 - dropwizard-jackson-0.7.1.jar
 - :x: **jackson-core-2.3.3.jar** (Vulnerable Library)
</details>
<details><summary>jackson-core-2.6.6.jar</summary>

Core Jackson abstractions, basic JSON streaming API implementation
Library home page: <a href="https://github.com/FasterXML/jackson-core">https://github.com/FasterXML/jackson-core</a>
Path to dependency file: /dd-java-agent/instrumentation/aws-java-sdk-1.11.0/aws-java-sdk-1.11.0.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-core/2.6.6/2eb801df67aacaf5b1deb4ac626e1964508e47b/jackson-core-2.6.6.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-core/2.6.6/2eb801df67aacaf5b1deb4ac626e1964508e47b/jackson-core-2.6.6.jar


Dependency Hierarchy:
 - aws-java-sdk-kinesis-1.11.106.jar (Root Library)
 - aws-java-sdk-core-1.11.106.jar
 - jackson-databind-2.6.6.jar
 - :x: **jackson-core-2.6.6.jar** (Vulnerable Library)
</details>
<details><summary>jackson-core-2.7.1.jar</summary>

Core Jackson abstractions, basic JSON streaming API implementation
Library home page: <a href="https://github.com/FasterXML/jackson-core">https://github.com/FasterXML/jackson-core</a>
Path to dependency file: /dd-java-agent/instrumentation/play-2.4/play-2.4.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-core/2.7.1/4127b62db028f981e81caa248953c0899d720f98/jackson-core-2.7.1.jar


Dependency Hierarchy:
 - play-java_2.11-2.5.0.jar (Root Library)
 - play_2.11-2.5.0.jar
 - :x: **jackson-core-2.7.1.jar** (Vulnerable Library)
</details>
<details><summary>jackson-core-2.5.4.jar</summary>

Core Jackson abstractions, basic JSON streaming API implementation
Library home page: <a href="https://github.com/FasterXML/jackson">https://github.com/FasterXML/jackson</a>
Path to dependency file: /dd-smoke-tests/play-2.4/play-2.4.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-core/2.5.4/a57a2df1a23ca1ee32f129173ba7f5feaa9ac24/jackson-core-2.5.4.jar


Dependency Hierarchy:
 - play_2.11-2.4.11.jar (Root Library)
 - :x: **jackson-core-2.5.4.jar** (Vulnerable Library)
</details>
<details><summary>jackson-core-2.6.4.jar</summary>

Core Jackson abstractions, basic JSON streaming API implementation
Library home page: <a href="https://github.com/FasterXML/jackson-core">https://github.com/FasterXML/jackson-core</a>
Path to dependency file: /dd-java-agent/instrumentation/couchbase-2.0/couchbase-2.0.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-core/2.6.4/27d3a9f7bbdcf72d93c9b2da7017e39551bfa9fb/jackson-core-2.6.4.jar


Dependency Hierarchy:
 - spring-data-couchbase-2.0.0.RELEASE.jar (Root Library)
 - jackson-databind-2.6.4.jar
 - :x: **jackson-core-2.6.4.jar** (Vulnerable Library)
</details>
<details><summary>jackson-core-2.7.5.jar</summary>

Core Jackson abstractions, basic JSON streaming API implementation
Library home page: <a href="https://github.com/FasterXML/jackson-core">https://github.com/FasterXML/jackson-core</a>
Path to dependency file: /dd-java-agent/instrumentation/spring-cloud-zuul-2/spring-cloud-zuul-2.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-core/2.7.5/dc3d2d9a654227007529c0fb6e86de9bcd038f5f/jackson-core-2.7.5.jar


Dependency Hierarchy:
 - zuul-core-1.3.1.jar (Root Library)
 - archaius-core-0.7.6.jar
 - :x: **jackson-core-2.7.5.jar** (Vulnerable Library)
</details>

Found in HEAD commit: <a href="https://github.com/KDWSS/dd-trace-java/commit/2819174635979a19573ec0ce8e3e2b63a3848079">2819174635979a19573ec0ce8e3e2b63a3848079</a>
Found in base branch: master

</details>

<details><summary><img src='https://whitesource-resources.whitesourcesoftware.com/medium_vul.png?' width=19 height=20> Vulnerability Details</summary>
 
 
OutOfMemoryError when writing BigDecimal In Jackson Core before version 2.7.7.
When enabled the WRITE_BIGDECIMAL_AS_PLAIN setting, Jackson will attempt to write out the whole number, no matter how large the exponent.

Publish Date: 2016-08-25
URL: <a href=https://github.com/FasterXML/jackson-core/issues/315>WS-2018-0125</a>

</details>

<details><summary><img src='https://whitesource-resources.whitesourcesoftware.com/cvss3.png' width=19 height=20> CVSS 3 Score Details (5.3)</summary>


Base Score Metrics:
- Exploitability Metrics:
 - Attack Vector: Network
 - Attack Complexity: Low
 - Privileges Required: None
 - User Interaction: None
 - Scope: Unchanged
- Impact Metrics:
 - Confidentiality Impact: None
 - Integrity Impact: None
 - Availability Impact: Low

For more information on CVSS3 Scores, click <a href="https://www.first.org/cvss/calculator/3.0">here</a>.

</details>

<details><summary><img src='https://whitesource-resources.whitesourcesoftware.com/suggested_fix.png' width=19 height=20> Suggested Fix</summary>


Type: Upgrade version
Release Date: 2016-08-25
Fix Resolution (com.fasterxml.jackson.core:jackson-core): 2.7.7
Direct dependency fix Resolution (com.typesafe.play:play-java-ws_2.11): 2.5.10Fix Resolution (com.fasterxml.jackson.core:jackson-core): 2.7.7
Direct dependency fix Resolution (io.vertx:vertx-web): 3.5.0Fix Resolution (com.fasterxml.jackson.core:jackson-core): 2.7.7
Direct dependency fix Resolution (com.amazonaws:aws-java-sdk-sqs): 1.12.1Fix Resolution (com.fasterxml.jackson.core:jackson-core): 2.7.7
Direct dependency fix Resolution (io.dropwizard:dropwizard-testing): 1.3.0Fix Resolution (com.fasterxml.jackson.core:jackson-core): 2.7.7
Direct dependency fix Resolution (com.amazonaws:aws-java-sdk-kinesis): 1.12.1Fix Resolution (com.fasterxml.jackson.core:jackson-core): 2.7.7
Direct dependency fix Resolution (com.typesafe.play:play-java_2.11): 2.5.10Fix Resolution (com.fasterxml.jackson.core:jackson-core): 2.7.7
Direct dependency fix Resolution (com.typesafe.play:play_2.11): 2.5.10Fix Resolution (com.fasterxml.jackson.core:jackson-core): 2.7.7
Direct dependency fix Resolution (org.springframework.data:spring-data-couchbase): 2.2.0.RELEASEFix Resolution (com.fasterxml.jackson.core:jackson-core): 2.7.7
Direct dependency fix Resolution (com.netflix.zuul:zuul-core): 2.1.1


</details>


***
:rescue_worker_helmet: Automatic Remediation is available for this issue

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

WS-2018-0125 (Medium) detected in multiple libraries - autoclosed #14

WS-2018-0125 - Medium Severity Vulnerability

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

WS-2018-0125 (Medium) detected in multiple libraries - autoclosed #14

Description

WS-2018-0125 - Medium Severity Vulnerability

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions