spring-boot-starter-web-1.5.8.RELEASE.jar: 154 vulnerabilities (highest severity is: 10.0) #2
Description
Vulnerable Library - spring-boot-starter-web-1.5.8.RELEASE.jar
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.10/jackson-databind-2.8.10.jar
Found in HEAD commit: da4219c4ae5bf5d920c44142b093658366d3319f
Vulnerabilities
| Vulnerability | Severity |  CVSS |
Dependency | Type | Fixed in (spring-boot-starter-web version) | Remediation Possible** |
|---|---|---|---|---|---|---|
| CVE-2018-14721 |  Critical |
10.0 | jackson-databind-2.8.10.jar | Transitive | 1.5.18.RELEASE | ✅ |
| CVE-2025-31651 | Critical |
9.8 | tomcat-embed-core-8.5.23.jar | Transitive | N/A* | ❌ |
| CVE-2025-24813 | Critical |
9.8 | tomcat-embed-core-8.5.23.jar | Transitive | N/A* | ❌ |
| CVE-2024-50379 | Critical |
9.8 | tomcat-embed-core-8.5.23.jar | Transitive | N/A* | ❌ |
| CVE-2020-9548 | Critical |
9.8 | jackson-databind-2.8.10.jar | Transitive | 2.0.0.RELEASE | ✅ |
| CVE-2020-9547 | Critical |
9.8 | jackson-databind-2.8.10.jar | Transitive | 2.0.0.RELEASE | ✅ |
| CVE-2020-9546 | Critical |
9.8 | jackson-databind-2.8.10.jar | Transitive | 2.0.0.RELEASE | ✅ |
| CVE-2020-8840 | Critical |
9.8 | jackson-databind-2.8.10.jar | Transitive | 2.0.0.RELEASE | ✅ |
| CVE-2019-20330 | Critical |
9.8 | jackson-databind-2.8.10.jar | Transitive | 2.0.0.RELEASE | ✅ |
| CVE-2019-17531 | Critical |
9.8 | jackson-databind-2.8.10.jar | Transitive | 2.0.0.RELEASE | ✅ |
| CVE-2019-17267 | Critical |
9.8 | jackson-databind-2.8.10.jar | Transitive | 2.0.0.RELEASE | ✅ |
| CVE-2019-16943 | Critical |
9.8 | jackson-databind-2.8.10.jar | Transitive | 2.0.0.RELEASE | ✅ |
| CVE-2019-16942 | Critical |
9.8 | jackson-databind-2.8.10.jar | Transitive | 2.0.0.RELEASE | ✅ |
| CVE-2019-16335 | Critical |
9.8 | jackson-databind-2.8.10.jar | Transitive | 2.0.0.RELEASE | ✅ |
| CVE-2019-14893 | Critical |
9.8 | jackson-databind-2.8.10.jar | Transitive | 2.0.0.RELEASE | ✅ |
| CVE-2019-14892 | Critical |
9.8 | jackson-databind-2.8.10.jar | Transitive | 2.0.0.RELEASE | ✅ |
| CVE-2019-14540 | Critical |
9.8 | jackson-databind-2.8.10.jar | Transitive | 2.0.0.RELEASE | ✅ |
| CVE-2019-14379 | Critical |
9.8 | jackson-databind-2.8.10.jar | Transitive | 2.0.0.RELEASE | ✅ |
| CVE-2019-10202 | Critical |
9.8 | jackson-databind-2.8.10.jar | Transitive | 2.1.6.RELEASE | ✅ |
| CVE-2018-8014 | Critical |
9.8 | tomcat-embed-core-8.5.23.jar | Transitive | N/A* | ❌ |
| CVE-2018-7489 | Critical |
9.8 | jackson-databind-2.8.10.jar | Transitive | 1.5.11.RELEASE | ✅ |
| CVE-2018-19362 | Critical |
9.8 | jackson-databind-2.8.10.jar | Transitive | 1.5.18.RELEASE | ✅ |
| CVE-2018-19361 | Critical |
9.8 | jackson-databind-2.8.10.jar | Transitive | 1.5.18.RELEASE | ✅ |
| CVE-2018-19360 | Critical |
9.8 | jackson-databind-2.8.10.jar | Transitive | 1.5.18.RELEASE | ✅ |
| CVE-2018-14720 | Critical |
9.8 | jackson-databind-2.8.10.jar | Transitive | 1.5.18.RELEASE | ✅ |
| CVE-2018-14719 | Critical |
9.8 | jackson-databind-2.8.10.jar | Transitive | 1.5.18.RELEASE | ✅ |
| CVE-2018-14718 | Critical |
9.8 | jackson-databind-2.8.10.jar | Transitive | 1.5.18.RELEASE | ✅ |
| CVE-2018-11307 | Critical |
9.8 | jackson-databind-2.8.10.jar | Transitive | 1.5.14.RELEASE | ✅ |
| CVE-2017-5929 | Critical |
9.8 | detected in multiple dependencies | Transitive | 2.0.0.RELEASE | ✅ |
| CVE-2017-17485 | Critical |
9.8 | jackson-databind-2.8.10.jar | Transitive | 1.5.11.RELEASE | ✅ |
| CVE-2016-1000027 | Critical |
9.8 | spring-web-4.3.12.RELEASE.jar | Transitive | 2.0.0.RELEASE | ✅ |
| CVE-2020-11113 |  High |
8.8 | jackson-databind-2.8.10.jar | Transitive | 2.2.0.RELEASE | ✅ |
| CVE-2020-11112 | High |
8.8 | jackson-databind-2.8.10.jar | Transitive | 2.2.0.RELEASE | ✅ |
| CVE-2020-11111 | High |
8.8 | jackson-databind-2.8.10.jar | Transitive | 2.2.0.RELEASE | ✅ |
| CVE-2020-10969 | High |
8.8 | jackson-databind-2.8.10.jar | Transitive | 2.2.0.RELEASE | ✅ |
| CVE-2020-10968 | High |
8.8 | jackson-databind-2.8.10.jar | Transitive | 2.2.0.RELEASE | ✅ |
| CVE-2020-10673 | High |
8.8 | jackson-databind-2.8.10.jar | Transitive | 2.2.0.RELEASE | ✅ |
| CVE-2020-10672 | High |
8.8 | jackson-databind-2.8.10.jar | Transitive | 2.2.0.RELEASE | ✅ |
| CVE-2022-1471 | High |
8.3 | snakeyaml-1.17.jar | Transitive | 3.2.0 | ✅ |
| CVE-2024-22262 | High |
8.1 | spring-web-4.3.12.RELEASE.jar | Transitive | 3.0.0 | ✅ |
| CVE-2024-22259 | High |
8.1 | spring-web-4.3.12.RELEASE.jar | Transitive | 3.0.0 | ✅ |
| CVE-2024-22243 | High |
8.1 | spring-web-4.3.12.RELEASE.jar | Transitive | 3.0.0 | ✅ |
| CVE-2021-20190 | High |
8.1 | jackson-databind-2.8.10.jar | Transitive | 2.2.0.RELEASE | ✅ |
| CVE-2020-36189 | High |
8.1 | jackson-databind-2.8.10.jar | Transitive | 2.2.0.RELEASE | ✅ |
| CVE-2020-36188 | High |
8.1 | jackson-databind-2.8.10.jar | Transitive | 2.2.0.RELEASE | ✅ |
| CVE-2020-36187 | High |
8.1 | jackson-databind-2.8.10.jar | Transitive | 2.2.0.RELEASE | ✅ |
| CVE-2020-36186 | High |
8.1 | jackson-databind-2.8.10.jar | Transitive | 2.2.0.RELEASE | ✅ |
| CVE-2020-36185 | High |
8.1 | jackson-databind-2.8.10.jar | Transitive | 2.2.0.RELEASE | ✅ |
| CVE-2020-36184 | High |
8.1 | jackson-databind-2.8.10.jar | Transitive | 2.2.0.RELEASE | ✅ |
| CVE-2020-36183 | High |
8.1 | jackson-databind-2.8.10.jar | Transitive | 2.2.0.RELEASE | ✅ |
| CVE-2020-36182 | High |
8.1 | jackson-databind-2.8.10.jar | Transitive | 2.2.0.RELEASE | ✅ |
| CVE-2020-36181 | High |
8.1 | jackson-databind-2.8.10.jar | Transitive | 2.2.0.RELEASE | ✅ |
| CVE-2020-36180 | High |
8.1 | jackson-databind-2.8.10.jar | Transitive | 2.2.0.RELEASE | ✅ |
| CVE-2020-36179 | High |
8.1 | jackson-databind-2.8.10.jar | Transitive | 2.2.0.RELEASE | ✅ |
| CVE-2020-24750 | High |
8.1 | jackson-databind-2.8.10.jar | Transitive | 2.0.0.RELEASE | ✅ |
| CVE-2020-24616 | High |
8.1 | jackson-databind-2.8.10.jar | Transitive | 2.0.0.RELEASE | ✅ |
| CVE-2020-14195 | High |
8.1 | jackson-databind-2.8.10.jar | Transitive | 2.0.0.RELEASE | ✅ |
| CVE-2020-14062 | High |
8.1 | jackson-databind-2.8.10.jar | Transitive | 2.0.0.RELEASE | ✅ |
| CVE-2020-14061 | High |
8.1 | jackson-databind-2.8.10.jar | Transitive | 2.0.0.RELEASE | ✅ |
| CVE-2020-14060 | High |
8.1 | jackson-databind-2.8.10.jar | Transitive | 2.0.0.RELEASE | ✅ |
| CVE-2020-11620 | High |
8.1 | jackson-databind-2.8.10.jar | Transitive | 2.2.0.RELEASE | ✅ |
| CVE-2020-11619 | High |
8.1 | jackson-databind-2.8.10.jar | Transitive | 2.2.0.RELEASE | ✅ |
| CVE-2020-10650 | High |
8.1 | jackson-databind-2.8.10.jar | Transitive | 2.2.0.RELEASE | ✅ |
| CVE-2019-0232 | High |
8.1 | tomcat-embed-core-8.5.23.jar | Transitive | 1.5.21.RELEASE | ✅ |
| CVE-2018-5968 | High |
8.1 | jackson-databind-2.8.10.jar | Transitive | 1.5.11.RELEASE | ✅ |
| CVE-2022-27772 | High |
7.8 | spring-boot-1.5.8.RELEASE.jar | Transitive | 2.2.11.RELEASE | ✅ |
| WS-2022-0468 | High |
7.5 | jackson-core-2.8.10.jar | Transitive | 3.1.0 | ✅ |
| CVE-2025-52999 | High |
7.5 | jackson-core-2.8.10.jar | Transitive | 3.1.0 | ✅ |
| CVE-2025-48989 | High |
7.5 | tomcat-embed-core-8.5.23.jar | Transitive | N/A* | ❌ |
| CVE-2025-48988 | High |
7.5 | tomcat-embed-core-8.5.23.jar | Transitive | N/A* | ❌ |
| CVE-2025-41249 | High |
7.5 | spring-core-4.3.12.RELEASE.jar | Transitive | N/A* | ❌ |
| CVE-2025-31650 | High |
7.5 | tomcat-embed-core-8.5.23.jar | Transitive | N/A* | ❌ |
| CVE-2024-38819 | High |
7.5 | spring-webmvc-4.3.12.RELEASE.jar | Transitive | 3.2.11 | ✅ |
| CVE-2024-38816 | High |
7.5 | spring-webmvc-4.3.12.RELEASE.jar | Transitive | 3.2.10 | ✅ |
| CVE-2024-34750 | High |
7.5 | tomcat-embed-core-8.5.23.jar | Transitive | N/A* | ❌ |
| CVE-2024-24549 | High |
7.5 | tomcat-embed-core-8.5.23.jar | Transitive | 2.1.0.RELEASE | ✅ |
| CVE-2023-46589 | High |
7.5 | tomcat-embed-core-8.5.23.jar | Transitive | 2.1.0.RELEASE | ✅ |
| CVE-2023-44487 | High |
7.5 | tomcat-embed-core-8.5.23.jar | Transitive | 2.1.0.RELEASE | ✅ |
| CVE-2023-24998 | High |
7.5 | tomcat-embed-core-8.5.23.jar | Transitive | 2.1.0.RELEASE | ✅ |
| CVE-2023-20883 | High |
7.5 | spring-boot-autoconfigure-1.5.8.RELEASE.jar | Transitive | 2.5.15 | ✅ |
| CVE-2022-42252 | High |
7.5 | tomcat-embed-core-8.5.23.jar | Transitive | N/A* | ❌ |
| CVE-2022-42004 | High |
7.5 | jackson-databind-2.8.10.jar | Transitive | 2.6.0 | ✅ |
| CVE-2022-42003 | High |
7.5 | jackson-databind-2.8.10.jar | Transitive | 2.6.0 | ✅ |
| CVE-2022-25857 | High |
7.5 | snakeyaml-1.17.jar | Transitive | 3.0.0 | ✅ |
| CVE-2021-41079 | High |
7.5 | tomcat-embed-core-8.5.23.jar | Transitive | 2.1.0.RELEASE | ✅ |
| CVE-2021-25122 | High |
7.5 | tomcat-embed-core-8.5.23.jar | Transitive | 2.1.0.RELEASE | ✅ |
| CVE-2020-36518 | High |
7.5 | jackson-databind-2.8.10.jar | Transitive | N/A* | ❌ |
| CVE-2020-17527 | High |
7.5 | tomcat-embed-core-8.5.23.jar | Transitive | 2.1.0.RELEASE | ✅ |
| CVE-2020-13935 | High |
7.5 | tomcat-embed-websocket-8.5.23.jar | Transitive | 2.1.0.RELEASE | ✅ |
| CVE-2020-13934 | High |
7.5 | tomcat-embed-core-8.5.23.jar | Transitive | 2.1.0.RELEASE | ✅ |
| CVE-2019-17563 | High |
7.5 | tomcat-embed-core-8.5.23.jar | Transitive | 2.1.0.RELEASE | ✅ |
| CVE-2019-14439 | High |
7.5 | jackson-databind-2.8.10.jar | Transitive | 2.0.0.RELEASE | ✅ |
| CVE-2019-12086 | High |
7.5 | jackson-databind-2.8.10.jar | Transitive | 2.0.0.RELEASE | ✅ |
| CVE-2019-10072 | High |
7.5 | tomcat-embed-core-8.5.23.jar | Transitive | 1.5.22.RELEASE | ✅ |
| CVE-2019-0199 | High |
7.5 | tomcat-embed-core-8.5.23.jar | Transitive | 1.5.20.RELEASE | ✅ |
| CVE-2018-8034 | High |
7.5 | tomcat-embed-websocket-8.5.23.jar | Transitive | 1.5.15.RELEASE | ✅ |
| CVE-2018-15756 | High |
7.5 | spring-web-4.3.12.RELEASE.jar | Transitive | 1.5.17.RELEASE | ✅ |
| CVE-2018-1272 | High |
7.5 | spring-core-4.3.12.RELEASE.jar | Transitive | 1.5.11.RELEASE | ✅ |
| CVE-2018-12023 | High |
7.5 | jackson-databind-2.8.10.jar | Transitive | 1.5.14.RELEASE | ✅ |
| CVE-2018-12022 | High |
7.5 | jackson-databind-2.8.10.jar | Transitive | 1.5.14.RELEASE | ✅ |
| CVE-2018-11040 | High |
7.5 | detected in multiple dependencies | Transitive | 1.5.14.RELEASE | ✅ |
| CVE-2017-18640 | High |
7.5 | snakeyaml-1.17.jar | Transitive | 2.3.0.RELEASE | ✅ |
| CVE-2025-35036 | High |
7.3 | hibernate-validator-5.3.5.Final.jar | Transitive | N/A* | ❌ |
| CVE-2023-6481 | High |
7.1 | logback-core-1.1.11.jar | Transitive | 2.0.0.RELEASE | ✅ |
| CVE-2023-6378 | High |
7.1 | logback-classic-1.1.11.jar | Transitive | 3.2.1 | ✅ |
| CVE-2021-25329 | High |
7.0 | tomcat-embed-core-8.5.23.jar | Transitive | 2.1.0.RELEASE | ✅ |
| CVE-2020-9484 | High |
7.0 | tomcat-embed-core-8.5.23.jar | Transitive | 2.1.0.RELEASE | ✅ |
| CVE-2017-7536 | High |
7.0 | hibernate-validator-5.3.5.Final.jar | Transitive | 1.5.9.RELEASE | ✅ |
| CVE-2024-12798 |  Medium |
6.6 | detected in multiple dependencies | Transitive | N/A* | ❌ |
| CVE-2021-42550 | Medium |
6.6 | detected in multiple dependencies | Transitive | 2.5.8 | ✅ |
| CVE-2025-55668 | Medium |
6.5 | tomcat-embed-core-8.5.23.jar | Transitive | N/A* | ❌ |
| CVE-2025-49125 | Medium |
6.5 | tomcat-embed-core-8.5.23.jar | Transitive | N/A* | ❌ |
| CVE-2025-46701 | Medium |
6.5 | tomcat-embed-core-8.5.23.jar | Transitive | N/A* | ❌ |
| CVE-2023-20863 | Medium |
6.5 | spring-expression-4.3.12.RELEASE.jar | Transitive | 2.4.0 | ✅ |
| CVE-2023-20861 | Medium |
6.5 | spring-expression-4.3.12.RELEASE.jar | Transitive | 2.4.0 | ✅ |
| CVE-2022-38752 | Medium |
6.5 | snakeyaml-1.17.jar | Transitive | 3.0.0 | ✅ |
| CVE-2022-38751 | Medium |
6.5 | snakeyaml-1.17.jar | Transitive | 3.0.0 | ✅ |
| CVE-2022-38750 | Medium |
6.5 | snakeyaml-1.17.jar | Transitive | 3.0.0 | ✅ |
| CVE-2022-38749 | Medium |
6.5 | snakeyaml-1.17.jar | Transitive | 3.0.0 | ✅ |
| CVE-2022-22950 | Medium |
6.5 | spring-expression-4.3.12.RELEASE.jar | Transitive | 2.4.0 | ✅ |
| CVE-2021-30640 | Medium |
6.5 | tomcat-embed-core-8.5.23.jar | Transitive | 2.1.0.RELEASE | ✅ |
| CVE-2020-5421 | Medium |
6.5 | spring-web-4.3.12.RELEASE.jar | Transitive | 2.0.0.RELEASE | ✅ |
| CVE-2024-23672 | Medium |
6.3 | tomcat-embed-websocket-8.5.23.jar | Transitive | 2.1.0.RELEASE | ✅ |
| CVE-2023-41080 | Medium |
6.1 | tomcat-embed-core-8.5.23.jar | Transitive | 2.1.0.RELEASE | ✅ |
| CVE-2023-1932 | Medium |
6.1 | hibernate-validator-5.3.5.Final.jar | Transitive | 2.0.0.RELEASE | ✅ |
| CVE-2019-0221 | Medium |
6.1 | tomcat-embed-core-8.5.23.jar | Transitive | 1.5.21.RELEASE | ✅ |
| CVE-2021-24122 | Medium |
5.9 | tomcat-embed-core-8.5.23.jar | Transitive | 2.1.0.RELEASE | ✅ |
| CVE-2019-12814 | Medium |
5.9 | jackson-databind-2.8.10.jar | Transitive | 2.0.0.RELEASE | ✅ |
| CVE-2019-12384 | Medium |
5.9 | jackson-databind-2.8.10.jar | Transitive | 2.0.0.RELEASE | ✅ |
| CVE-2018-8037 | Medium |
5.9 | tomcat-embed-core-8.5.23.jar | Transitive | N/A* | ❌ |
| CVE-2018-1271 | Medium |
5.9 | spring-webmvc-4.3.12.RELEASE.jar | Transitive | 1.5.11.RELEASE | ✅ |
| CVE-2018-11039 | Medium |
5.9 | spring-web-4.3.12.RELEASE.jar | Transitive | 1.5.14.RELEASE | ✅ |
| CVE-2022-41854 | Medium |
5.8 | snakeyaml-1.17.jar | Transitive | 3.0.0 | ✅ |
| CVE-2024-38828 | Medium |
5.3 | spring-webmvc-4.3.12.RELEASE.jar | Transitive | N/A* | ❌ |
| CVE-2024-38809 | Medium |
5.3 | spring-web-4.3.12.RELEASE.jar | Transitive | 3.0.0 | ✅ |
| CVE-2024-21733 | Medium |
5.3 | tomcat-embed-core-8.5.23.jar | Transitive | 2.1.0.RELEASE | ✅ |
| CVE-2023-45648 | Medium |
5.3 | tomcat-embed-core-8.5.23.jar | Transitive | 2.1.0.RELEASE | ✅ |
| CVE-2023-42795 | Medium |
5.3 | tomcat-embed-core-8.5.23.jar | Transitive | 2.1.0.RELEASE | ✅ |
| CVE-2022-22970 | Medium |
5.3 | spring-core-4.3.12.RELEASE.jar | Transitive | 2.4.0 | ✅ |
| CVE-2022-22968 | Medium |
5.3 | spring-context-4.3.12.RELEASE.jar | Transitive | 2.4.0 | ✅ |
| CVE-2021-33037 | Medium |
5.3 | tomcat-embed-core-8.5.23.jar | Transitive | 2.1.0.RELEASE | ✅ |
| CVE-2020-10693 | Medium |
5.3 | hibernate-validator-5.3.5.Final.jar | Transitive | 2.0.0.RELEASE | ✅ |
| CVE-2018-1199 | Medium |
5.3 | spring-core-4.3.12.RELEASE.jar | Transitive | 1.5.10.RELEASE | ✅ |
| CVE-2020-1935 | Medium |
4.8 | tomcat-embed-core-8.5.23.jar | Transitive | 2.1.0.RELEASE | ✅ |
| CVE-2024-12801 | Medium |
4.4 | logback-core-1.1.11.jar | Transitive | N/A* | ❌ |
| CVE-2024-38808 | Medium |
4.3 | spring-expression-4.3.12.RELEASE.jar | Transitive | 3.0.0 | ✅ |
| CVE-2023-28708 | Medium |
4.3 | tomcat-embed-core-8.5.23.jar | Transitive | 2.1.0.RELEASE | ✅ |
| CVE-2021-22096 | Medium |
4.3 | detected in multiple dependencies | Transitive | 2.4.0 | ✅ |
| CVE-2021-22060 | Medium |
4.3 | spring-core-4.3.12.RELEASE.jar | Transitive | 2.4.0 | ✅ |
| CVE-2020-13943 | Medium |
4.3 | tomcat-embed-core-8.5.23.jar | Transitive | 2.1.0.RELEASE | ✅ |
| CVE-2025-49128 | Medium |
4.0 | jackson-core-2.8.10.jar | Transitive | N/A* | ❌ |
| CVE-2021-43980 |  Low |
3.7 | tomcat-embed-core-8.5.23.jar | Transitive | 2.1.0.RELEASE | ✅ |
| CVE-2025-22233 | Low |
3.1 | spring-context-4.3.12.RELEASE.jar | Transitive | N/A* | ❌ |
| CVE-2024-38820 | Low |
3.1 | spring-context-4.3.12.RELEASE.jar | Transitive | 3.2.11 | ✅ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Partial details (9 vulnerabilities) are displayed below due to a content size limitation in GitHub. To view information on the remaining vulnerabilities, navigate to the Mend Application.
CVE-2018-14721
Vulnerable Library - jackson-databind-2.8.10.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://fasterxml.com/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.10/jackson-databind-2.8.10.jar
Dependency Hierarchy:
- spring-boot-starter-web-1.5.8.RELEASE.jar (Root Library)
- ❌ jackson-databind-2.8.10.jar (Vulnerable Library)
Found in HEAD commit: da4219c4ae5bf5d920c44142b093658366d3319f
Found in base branch: main
Vulnerability Details
FasterXML jackson-databind 2.x before 2.6.7.3,2.7.9.5,2.8.11.3,2.9.7 might allow remote attackers to conduct server-side request forgery (SSRF) attacks by leveraging failure to block the axis2-jaxws class from polymorphic deserialization.
Publish Date: 2019-01-02
URL: CVE-2018-14721
CVSS 3 Score Details (10.0)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Release Date: 2019-01-02
Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.8.11.3
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 1.5.18.RELEASE
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2025-31651
Vulnerable Library - tomcat-embed-core-8.5.23.jar
Core Tomcat implementation
Library home page: http://tomcat.apache.org/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/8.5.23/tomcat-embed-core-8.5.23.jar
Dependency Hierarchy:
- spring-boot-starter-web-1.5.8.RELEASE.jar (Root Library)
- spring-boot-starter-tomcat-1.5.8.RELEASE.jar
- ❌ tomcat-embed-core-8.5.23.jar (Vulnerable Library)
- spring-boot-starter-tomcat-1.5.8.RELEASE.jar
Found in HEAD commit: da4219c4ae5bf5d920c44142b093658366d3319f
Found in base branch: main
Vulnerability Details
Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache Tomcat. For a subset of unlikely rewrite rule configurations, it was possible
for a specially crafted request to bypass some rewrite rules. If those
rewrite rules effectively enforced security constraints, those
constraints could be bypassed.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.5, from 10.1.0-M1 through 10.1.39, from 9.0.0.M1 through 9.0.102.
Users are recommended to upgrade to versions 9.0.104, 10.1.40 or 11.0.6, which fix the issue.
Publish Date: 2025-04-28
URL: CVE-2025-31651
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://www.openwall.com/lists/oss-security/2025/04/28/3
Release Date: 2025-04-28
Fix Resolution: org.apache.tomcat.embed:tomcat-embed-core:10.1.40
CVE-2025-24813
Vulnerable Library - tomcat-embed-core-8.5.23.jar
Core Tomcat implementation
Library home page: http://tomcat.apache.org/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/8.5.23/tomcat-embed-core-8.5.23.jar
Dependency Hierarchy:
- spring-boot-starter-web-1.5.8.RELEASE.jar (Root Library)
- spring-boot-starter-tomcat-1.5.8.RELEASE.jar
- ❌ tomcat-embed-core-8.5.23.jar (Vulnerable Library)
- spring-boot-starter-tomcat-1.5.8.RELEASE.jar
Found in HEAD commit: da4219c4ae5bf5d920c44142b093658366d3319f
Found in base branch: main
Vulnerability Details
Path Equivalence: 'file.Name' (Internal Dot) leading to Remote Code Execution and/or Information disclosure and/or malicious content added to uploaded files via write enabled Default Servlet in Apache Tomcat.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.2, from 10.1.0-M1 through 10.1.34, from 9.0.0.M1 through 9.0.98.
If all of the following were true, a malicious user was able to view security sensitive files and/or inject content into those files:
- writes enabled for the default servlet (disabled by default)
- support for partial PUT (enabled by default)
- a target URL for security sensitive uploads that was a sub-directory of a target URL for public uploads
- attacker knowledge of the names of security sensitive files being uploaded
- the security sensitive files also being uploaded via partial PUT
If all of the following were true, a malicious user was able to perform remote code execution: - writes enabled for the default servlet (disabled by default)
- support for partial PUT (enabled by default)
- application was using Tomcat's file based session persistence with the default storage location
- application included a library that may be leveraged in a deserialization attack
Users are recommended to upgrade to version 11.0.3, 10.1.35 or 9.0.99, which fixes the issue.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2025-03-10
URL: CVE-2025-24813
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Release Date: 2025-03-10
Fix Resolution: https://github.com/apache/tomcat.git - 10.1.35
CVE-2024-50379
Vulnerable Library - tomcat-embed-core-8.5.23.jar
Core Tomcat implementation
Library home page: http://tomcat.apache.org/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/8.5.23/tomcat-embed-core-8.5.23.jar
Dependency Hierarchy:
- spring-boot-starter-web-1.5.8.RELEASE.jar (Root Library)
- spring-boot-starter-tomcat-1.5.8.RELEASE.jar
- ❌ tomcat-embed-core-8.5.23.jar (Vulnerable Library)
- spring-boot-starter-tomcat-1.5.8.RELEASE.jar
Found in HEAD commit: da4219c4ae5bf5d920c44142b093658366d3319f
Found in base branch: main
Vulnerability Details
Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability during JSP compilation in Apache Tomcat permits an RCE on case insensitive file systems when the default servlet is enabled for write (non-default configuration).
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.1, from 10.1.0-M1 through 10.1.33, from 9.0.0.M1 through 9.0.97.
Users are recommended to upgrade to version 11.0.2, 10.1.34 or 9.0.98, which fixes the issue. The fix for CVE-2024-50379 was found to be incomplete - users should refer to the follow-up CVE-2024-56337 which fully addresses the issue.
Publish Date: 2024-12-17
URL: CVE-2024-50379
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://tomcat.apache.org/security-11.html
Release Date: 2024-12-17
Fix Resolution: org.apache.tomcat:tomcat-catalina:9.0.98,10.1.34,11.0.2, org.apache.tomcat.embed:tomcat-embed-core:9.0.98,10.1.34,11.0.2
CVE-2020-9548
Vulnerable Library - jackson-databind-2.8.10.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://fasterxml.com/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.10/jackson-databind-2.8.10.jar
Dependency Hierarchy:
- spring-boot-starter-web-1.5.8.RELEASE.jar (Root Library)
- ❌ jackson-databind-2.8.10.jar (Vulnerable Library)
Found in HEAD commit: da4219c4ae5bf5d920c44142b093658366d3319f
Found in base branch: main
Vulnerability Details
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPConfig (aka anteros-core).
Publish Date: 2020-03-02
URL: CVE-2020-9548
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9548
Release Date: 2020-03-02
Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.8.11.6
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.0.0.RELEASE
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2020-9547
Vulnerable Library - jackson-databind-2.8.10.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://fasterxml.com/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.10/jackson-databind-2.8.10.jar
Dependency Hierarchy:
- spring-boot-starter-web-1.5.8.RELEASE.jar (Root Library)
- ❌ jackson-databind-2.8.10.jar (Vulnerable Library)
Found in HEAD commit: da4219c4ae5bf5d920c44142b093658366d3319f
Found in base branch: main
Vulnerability Details
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig (aka ibatis-sqlmap).
Publish Date: 2020-03-02
URL: CVE-2020-9547
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://osv.dev/vulnerability/GHSA-q93h-jc49-78gg
Release Date: 2020-03-02
Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.8.11.6
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.0.0.RELEASE
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2020-9546
Vulnerable Library - jackson-databind-2.8.10.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://fasterxml.com/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.10/jackson-databind-2.8.10.jar
Dependency Hierarchy:
- spring-boot-starter-web-1.5.8.RELEASE.jar (Root Library)
- ❌ jackson-databind-2.8.10.jar (Vulnerable Library)
Found in HEAD commit: da4219c4ae5bf5d920c44142b093658366d3319f
Found in base branch: main
Vulnerability Details
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig (aka shaded hikari-config).
Publish Date: 2020-03-02
URL: CVE-2020-9546
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9546
Release Date: 2020-03-02
Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.8.11.6
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.0.0.RELEASE
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2020-8840
Vulnerable Library - jackson-databind-2.8.10.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://fasterxml.com/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.10/jackson-databind-2.8.10.jar
Dependency Hierarchy:
- spring-boot-starter-web-1.5.8.RELEASE.jar (Root Library)
- ❌ jackson-databind-2.8.10.jar (Vulnerable Library)
Found in HEAD commit: da4219c4ae5bf5d920c44142b093658366d3319f
Found in base branch: main
Vulnerability Details
FasterXML jackson-databind 2.0.0 through 2.9.10.2 lacks certain xbean-reflect/JNDI blocking, as demonstrated by org.apache.xbean.propertyeditor.JndiConverter.
Publish Date: 2020-02-10
URL: CVE-2020-8840
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Release Date: 2020-02-10
Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.8.11.5
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.0.0.RELEASE
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2019-20330
Vulnerable Library - jackson-databind-2.8.10.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://fasterxml.com/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.10/jackson-databind-2.8.10.jar
Dependency Hierarchy:
- spring-boot-starter-web-1.5.8.RELEASE.jar (Root Library)
- ❌ jackson-databind-2.8.10.jar (Vulnerable Library)
Found in HEAD commit: da4219c4ae5bf5d920c44142b093658366d3319f
Found in base branch: main
Vulnerability Details
FasterXML jackson-databind 2.x before 2.9.10.2 lacks certain net.sf.ehcache blocking.
Publish Date: 2020-01-03
URL: CVE-2019-20330
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Release Date: 2020-01-03
Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.8.11.5
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.0.0.RELEASE
⛑️ Automatic Remediation will be attempted for this issue.
⛑️Automatic Remediation will be attempted for this issue.