chore(findings): opensource/opennms/horizon
Summary
opensource/opennms/horizon has 2 new findings discovered during continuous monitoring.
More information can be found in the VAT located here: https://vat.dso.mil/vat/image?imageName=opensource/opennms/horizon&tag=34.0.0&branch=master
EPSS (Exploit Prediction Scoring System) provides an estimate of the likelihood that a vulnerability will be exploited in the wild.
KEV (Known Exploited Vulnerabilities) indicates whether a vulnerability is actively being exploited according to CISA.
| id | source | severity | package | impact | workaround | epss_score | kev |
|---|---|---|---|---|---|---|---|
| CVE-2025-8941 | Twistlock CVE | High | pam-1.5.1-25.el9_6 | N/A | false | ||
| CVE-2025-55163 | Twistlock CVE | High | io.netty_netty-codec-http2-4.1.100.Final | N/A | false |
More information can be found in the VAT located here: https://vat.dso.mil/vat/image?imageName=opensource/opennms/horizon&tag=34.0.0&branch=master
Novel Tidelift Findings (Experimental)
opensource/opennms/horizon has 150 novel Tidelift findings discovered during continuous monitoring.
NOTE: This table is for Iron Bank evaluation and testing purposes. No action required by vendors.
| id | cvss score | package | impact | workaround | epss_score | kev |
|---|---|---|---|---|---|---|
| CVE-2022-1471 | 9.8 | org.yaml:snakeyaml-1.33 | 0.93849 | false | ||
| CVE-2020-9548 | 9.8 | com.fasterxml.jackson.core:jackson-databind-2.9.8 | Applicability relies on explicit usage of specific style of Polymorphic Deserialization as explained above it DOES NOT AFFECT Jackson usage with DEFAULT SETTINGS. | 0.67398 | false | |
| CVE-2020-11113 | 8.8 | com.fasterxml.jackson.core:jackson-databind-2.9.8 | Applicability relies on explicit usage of specific style of Polymorphic Deserialization as explained above it DOES NOT AFFECT Jackson usage with DEFAULT SETTINGS. | 0.61746 | false | |
| CVE-2020-36179 | 8.1 | com.fasterxml.jackson.core:jackson-databind-2.9.8 | Applicability relies on explicit usage of specific style of Polymorphic Deserialization as explained above it DOES NOT AFFECT Jackson usage with DEFAULT SETTINGS. | 0.61296 | false | |
| CVE-2019-12384 | 5.9 | com.fasterxml.jackson.core:jackson-databind-2.9.8 | Applicability relies on explicit usage of specific style of Polymorphic Deserialization as explained above it DOES NOT AFFECT Jackson usage with DEFAULT SETTINGS. | 0.51675 | false | |
| CVE-2020-9547 | 9.8 | com.fasterxml.jackson.core:jackson-databind-2.9.8 | Applicability relies on explicit usage of specific style of Polymorphic Deserialization as explained above it DOES NOT AFFECT Jackson usage with DEFAULT SETTINGS. | 0.49698 | false | |
| CVE-2020-10672 | 8.8 | com.fasterxml.jackson.core:jackson-databind-2.9.8 | Applicability relies on explicit usage of specific style of Polymorphic Deserialization as explained above it DOES NOT AFFECT Jackson usage with DEFAULT SETTINGS. | 0.40070 | false | |
| CVE-2020-35728 | 8.1 | com.fasterxml.jackson.core:jackson-databind-2.9.8 | Applicability relies on explicit usage of specific style of Polymorphic Deserialization as explained above it DOES NOT AFFECT Jackson usage with DEFAULT SETTINGS. | 0.39669 | false | |
| CVE-2020-10673 | 8.8 | com.fasterxml.jackson.core:jackson-databind-2.9.8 | Applicability relies on explicit usage of specific style of Polymorphic Deserialization as explained above it DOES NOT AFFECT Jackson usage with DEFAULT SETTINGS. | 0.20473 | false | |
| CVE-2019-12814 | 5.9 | com.fasterxml.jackson.core:jackson-databind-2.9.8 | Applicability relies on explicit usage of specific style of Polymorphic Deserialization as explained above it DOES NOT AFFECT Jackson usage with DEFAULT SETTINGS. | 0.19277 | false | |
| CVE-2019-12086 | 7.5 | com.fasterxml.jackson.core:jackson-databind-2.9.8 | Applicability relies on explicit usage of specific style of Polymorphic Deserialization as explained above it DOES NOT AFFECT Jackson usage with DEFAULT SETTINGS. | 0.15745 | false | |
| CVE-2020-11112 | 8.8 | com.fasterxml.jackson.core:jackson-databind-2.9.8 | Applicability relies on explicit usage of specific style of Polymorphic Deserialization as explained above it DOES NOT AFFECT Jackson usage with DEFAULT SETTINGS. | 0.11418 | false | |
| CVE-2019-14439 | 7.5 | com.fasterxml.jackson.core:jackson-databind-2.9.8 | Applicability relies on explicit usage of specific style of Polymorphic Deserialization as explained above it DOES NOT AFFECT Jackson usage with DEFAULT SETTINGS. | 0.10318 | false | |
| CVE-2020-14195 | 8.1 | com.fasterxml.jackson.core:jackson-databind-2.9.8 | Applicability relies on explicit usage of specific style of Polymorphic Deserialization as explained above it DOES NOT AFFECT Jackson usage with DEFAULT SETTINGS. | 0.09511 | false | |
| CVE-2020-14060 | 8.1 | com.fasterxml.jackson.core:jackson-databind-2.9.8 | Applicability relies on explicit usage of specific style of Polymorphic Deserialization as explained above it DOES NOT AFFECT Jackson usage with DEFAULT SETTINGS. | 0.08718 | false | |
| CVE-2020-8840 | 9.8 | com.fasterxml.jackson.core:jackson-databind-2.9.8 | Applicability relies on explicit usage of specific style of Polymorphic Deserialization as explained above it DOES NOT AFFECT Jackson usage with DEFAULT SETTINGS. | 0.08164 | false | |
| CVE-2019-14540 | 9.8 | com.fasterxml.jackson.core:jackson-databind-2.9.8 | Applicability relies on explicit usage of specific style of Polymorphic Deserialization as explained above it DOES NOT AFFECT Jackson usage with DEFAULT SETTINGS. | 0.07984 | false | |
| CVE-2020-14062 | 8.1 | com.fasterxml.jackson.core:jackson-databind-2.9.8 | Applicability relies on explicit usage of specific style of Polymorphic Deserialization as explained above it DOES NOT AFFECT Jackson usage with DEFAULT SETTINGS. | 0.07706 | false | |
| CVE-2020-36188 | 8.1 | com.fasterxml.jackson.core:jackson-databind-2.9.8 | Applicability relies on explicit usage of specific style of Polymorphic Deserialization as explained above it DOES NOT AFFECT Jackson usage with DEFAULT SETTINGS. | 0.06980 | false | |
| CVE-2020-35491 | 8.1 | com.fasterxml.jackson.core:jackson-databind-2.9.8 | Applicability relies on explicit usage of specific style of Polymorphic Deserialization as explained above it DOES NOT AFFECT Jackson usage with DEFAULT SETTINGS. | 0.06892 | false | |
| CVE-2020-10968 | 8.8 | com.fasterxml.jackson.core:jackson-databind-2.9.8 | Applicability relies on explicit usage of specific style of Polymorphic Deserialization as explained above it DOES NOT AFFECT Jackson usage with DEFAULT SETTINGS. | 0.06632 | false | |
| CVE-2020-36181 | 8.1 | com.fasterxml.jackson.core:jackson-databind-2.9.8 | Applicability relies on explicit usage of specific style of Polymorphic Deserialization as explained above it DOES NOT AFFECT Jackson usage with DEFAULT SETTINGS. | 0.06306 | false | |
| CVE-2020-14061 | 8.1 | com.fasterxml.jackson.core:jackson-databind-2.9.8 | Applicability relies on explicit usage of specific style of Polymorphic Deserialization as explained above it DOES NOT AFFECT Jackson usage with DEFAULT SETTINGS. | 0.06150 | false | |
| CVE-2020-10650 | 8.1 | com.fasterxml.jackson.core:jackson-databind-2.9.8 | Requires existence of specific jars in users classpath only relevant for users of Apache Ignite. | 0.05253 | false | |
| CVE-2020-36184 | 8.1 | com.fasterxml.jackson.core:jackson-databind-2.9.8 | Applicability relies on explicit usage of specific style of Polymorphic Deserialization as explained above it DOES NOT AFFECT Jackson usage with DEFAULT SETTINGS. | 0.05061 | false | |
| CVE-2020-35490 | 8.1 | com.fasterxml.jackson.core:jackson-databind-2.9.8 | Applicability relies on explicit usage of specific style of Polymorphic Deserialization as explained above it DOES NOT AFFECT Jackson usage with DEFAULT SETTINGS. | 0.04749 | false | |
| CVE-2020-24616 | 8.1 | com.fasterxml.jackson.core:jackson-databind-2.9.8 | Applicability relies on explicit usage of specific style of Polymorphic Deserialization as explained above it DOES NOT AFFECT Jackson usage with DEFAULT SETTINGS. | 0.03783 | false | |
| CVE-2020-11620 | 8.1 | com.fasterxml.jackson.core:jackson-databind-2.9.8 | Applicability relies on explicit usage of specific style of Polymorphic Deserialization as explained above it DOES NOT AFFECT Jackson usage with DEFAULT SETTINGS. | 0.02796 | false | |
| CVE-2020-36189 | 8.1 | com.fasterxml.jackson.core:jackson-databind-2.9.8 | Applicability relies on explicit usage of specific style of Polymorphic Deserialization as explained above it DOES NOT AFFECT Jackson usage with DEFAULT SETTINGS. | 0.02635 | false | |
| CVE-2020-36183 | 8.1 | com.fasterxml.jackson.core:jackson-databind-2.9.8 | Applicability relies on explicit usage of specific style of Polymorphic Deserialization as explained above it DOES NOT AFFECT Jackson usage with DEFAULT SETTINGS. | 0.02421 | false | |
| CVE-2019-20444 | 9.1 | io.netty:netty-codec-http-4.1.22.Final | 0.02402 | false | ||
| CVE-2020-9546 | 9.8 | com.fasterxml.jackson.core:jackson-databind-2.9.8 | Applicability relies on explicit usage of specific style of Polymorphic Deserialization as explained above it DOES NOT AFFECT Jackson usage with DEFAULT SETTINGS. | 0.02327 | false | |
| CVE-2020-36186 | 8.1 | com.fasterxml.jackson.core:jackson-databind-2.9.8 | Applicability relies on explicit usage of specific style of Polymorphic Deserialization as explained above it DOES NOT AFFECT Jackson usage with DEFAULT SETTINGS. | 0.02210 | false | |
| CVE-2020-11111 | 8.8 | com.fasterxml.jackson.core:jackson-databind-2.9.8 | Applicability relies on explicit usage of specific style of Polymorphic Deserialization as explained above it DOES NOT AFFECT Jackson usage with DEFAULT SETTINGS. | 0.02196 | false | |
| CVE-2020-36182 | 8.1 | com.fasterxml.jackson.core:jackson-databind-2.9.8 | Applicability relies on explicit usage of specific style of Polymorphic Deserialization as explained above it DOES NOT AFFECT Jackson usage with DEFAULT SETTINGS. | 0.02121 | false | |
| CVE-2020-24750 | 8.1 | com.fasterxml.jackson.core:jackson-databind-2.9.8 | Applicability relies on explicit usage of specific style of Polymorphic Deserialization as explained above it DOES NOT AFFECT Jackson usage with DEFAULT SETTINGS. | 0.02107 | false | |
| CVE-2020-11971 | 7.5 | org.apache.camel:camel-core-2.21.5 | 0.02054 | false | ||
| CVE-2020-36187 | 8.1 | com.fasterxml.jackson.core:jackson-databind-2.9.8 | Applicability relies on explicit usage of specific style of Polymorphic Deserialization as explained above it DOES NOT AFFECT Jackson usage with DEFAULT SETTINGS. | 0.02039 | false | |
| CVE-2019-20330 | 9.8 | com.fasterxml.jackson.core:jackson-databind-2.9.8 | Applicability relies on explicit usage of specific style of Polymorphic Deserialization as explained above it DOES NOT AFFECT Jackson usage with DEFAULT SETTINGS. | 0.01997 | false | |
| CVE-2020-36185 | 8.1 | com.fasterxml.jackson.core:jackson-databind-2.9.8 | Applicability relies on explicit usage of specific style of Polymorphic Deserialization as explained above it DOES NOT AFFECT Jackson usage with DEFAULT SETTINGS. | 0.01957 | false | |
| CVE-2020-36180 | 8.1 | com.fasterxml.jackson.core:jackson-databind-2.9.8 | Applicability relies on explicit usage of specific style of Polymorphic Deserialization as explained above it DOES NOT AFFECT Jackson usage with DEFAULT SETTINGS. | 0.01957 | false | |
| CVE-2019-0188 | 7.5 | org.apache.camel:camel-core-2.21.5 | 0.01956 | false | ||
| CVE-2020-11612 | 7.5 | io.netty:netty-handler-4.1.22.Final | This vulnerability can be easily triggered by sending a compressed data that can be deflated into very large number of bytes. | A user can stop using ZlibDecoder or its subtypes in their application and replace them with a new handler implementation without the vulnerability, e.g. forking ZlibDecoder from the newer versions. | 0.01846 | false |
| CVE-2019-16943 | 9.8 | com.fasterxml.jackson.core:jackson-databind-2.9.8 | Applicability relies on explicit usage of specific style of Polymorphic Deserialization as explained above it DOES NOT AFFECT Jackson usage with DEFAULT SETTINGS. | 0.01841 | false | |
| CVE-2020-11619 | 8.1 | com.fasterxml.jackson.core:jackson-databind-2.9.8 | Applicability relies on explicit usage of specific style of Polymorphic Deserialization as explained above it DOES NOT AFFECT Jackson usage with DEFAULT SETTINGS. | 0.01826 | false | |
| CVE-2020-10969 | 8.8 | com.fasterxml.jackson.core:jackson-databind-2.9.8 | Applicability relies on explicit usage of specific style of Polymorphic Deserialization as explained above it DOES NOT AFFECT Jackson usage with DEFAULT SETTINGS. | 0.01478 | false | |
| CVE-2019-14379 | 9.8 | com.fasterxml.jackson.core:jackson-databind-2.9.8 | Applicability relies on explicit usage of specific style of Polymorphic Deserialization as explained above it DOES NOT AFFECT Jackson usage with DEFAULT SETTINGS. | 0.01455 | false | |
| CVE-2019-17267 | 9.8 | com.fasterxml.jackson.core:jackson-databind-2.9.8 | Applicability relies on explicit usage of specific style of Polymorphic Deserialization as explained above it DOES NOT AFFECT Jackson usage with DEFAULT SETTINGS. | 0.01357 | false | |
| CVE-2019-17531 | 9.8 | com.fasterxml.jackson.core:jackson-databind-2.9.8 | Applicability relies on explicit usage of specific style of Polymorphic Deserialization as explained above it DOES NOT AFFECT Jackson usage with DEFAULT SETTINGS. | 0.01190 | false | |
| CVE-2019-14892 | 9.8 | com.fasterxml.jackson.core:jackson-databind-2.9.8 | Applicability relies on explicit usage of specific style of Polymorphic Deserialization as explained above it DOES NOT AFFECT Jackson usage with DEFAULT SETTINGS. | 0.00873 | false | |
| CVE-2019-16335 | 9.8 | com.fasterxml.jackson.core:jackson-databind-2.9.8 | Applicability relies on explicit usage of specific style of Polymorphic Deserialization as explained above it DOES NOT AFFECT Jackson usage with DEFAULT SETTINGS. | 0.00740 | false | |
| CVE-2021-37137 | 7.5 | io.netty:netty-codec-4.1.22.Final | An attacker can easily trigger excessive memory usage of the vulnerable application by sending a Snappycompressed content thats deflated into a large amount of data. | A vulnerable user can stop using Snappy and SnappyFramedDecoder, and then replace them with a custom implementation without the vulnerability, usually by forking them from a newer version of Netty. | 0.00715 | false |
| CVE-2019-14893 | 9.8 | com.fasterxml.jackson.core:jackson-databind-2.9.8 | Applicability relies on explicit usage of specific style of Polymorphic Deserialization as explained above it DOES NOT AFFECT Jackson usage with DEFAULT SETTINGS. | 0.00698 | false | |
| CVE-2020-7238 | 7.5 | io.netty:netty-codec-http-4.1.22.Final | This vulnerability affects all HTTP1 clients and servers written on top of Netty, triggered by a malicious chunked HTTP1 requestresponse. | 0.00685 | false | |
| CVE-2023-34462 | 6.5 | io.netty:netty-handler-4.1.22.Final | Its relatively easy to trigger DoS and make the server suffer from unnecessarily high memory usage by leveraging this vulnerability. | You can fork the fixed SniHandler in newer Netty version instead of using the one provided by the old Netty version. Alternatively, you can simply disable SNI by removing SniHandler from your channel pipeline. | 0.00563 | false |
| CVE-2023-5072 | 7.5 | org.json:json-20230227 | 0.00525 | false | ||
| CVE-2024-21742 | 5.3 | org.apache.james:apache-mime4j-core-0.7.2 | 0.00492 | false | ||
| CVE-2025-27533 | 6.9 | org.apache.activemq:activemq-openwire-legacy-5.15.16 | 0.00489 | false | ||
| CVE-2025-27533 | 6.9 | org.apache.activemq:activemq-client-5.15.16 | 0.00489 | false | ||
| CVE-2020-36518 | 7.5 | com.fasterxml.jackson.core:jackson-databind-2.11.0 | It is difficult to estimate how commonly untyped deserialization is used but it is not the most common usage style more commonly used target types are POJOs typed or JsonNode JSON tree. | 0.00477 | false | |
| CVE-2020-36518 | 7.5 | com.fasterxml.jackson.core:jackson-databind-2.9.8 | It is difficult to estimate how commonly untyped deserialization is used but it is not the most common usage style more commonly used target types are POJOs typed or JsonNode JSON tree. | 0.00477 | false | |
| CVE-2020-36518 | 7.5 | com.fasterxml.jackson.core:jackson-databind-2.9.10.8 | It is difficult to estimate how commonly untyped deserialization is used but it is not the most common usage style more commonly used target types are POJOs typed or JsonNode JSON tree. | 0.00477 | false | |
| CVE-2021-20190 | 8.1 | com.fasterxml.jackson.core:jackson-databind-2.9.8 | Applicability relies on explicit usage of specific style of Polymorphic Deserialization as explained above it DOES NOT AFFECT Jackson usage with DEFAULT SETTINGS. | 0.00469 | false | |
| CVE-2023-43643 | 6.1 | org.owasp.antisamy:antisamy-1.7.3 | 0.00463 | false | ||
| CVE-2019-16942 | 9.8 | com.fasterxml.jackson.core:jackson-databind-2.9.8 | Applicability relies on explicit usage of specific style of Polymorphic Deserialization as explained above it DOES NOT AFFECT Jackson usage with DEFAULT SETTINGS. | 0.00438 | false | |
| CVE-2019-20445 | 9.1 | io.netty:netty-codec-http-4.1.22.Final | This vulnerability affects all HTTP1 clients and servers written on top of Netty, triggered by a malicious HTTP1 requestresponse that contains repeating ContentLength or TransferEncoding headers. | 0.00434 | false | |
| CVE-2019-20445 | 9.1 | io.netty:netty-handler-4.1.22.Final | 0.00434 | false | ||
| CVE-2023-3635 | 7.5 | com.squareup.okio:okio-1.14.0 | 0.00335 | false | ||
| CVE-2025-48924 | 6.5 | org.apache.commons:commons-lang3-3.13.0 | An application or library would need to not only use the API or one of its call sites but also allow for very long inputs for a class name. Alternatively, if the app or library accepts input from the user or a configuration file, the app stack may be vulnerable. | 0.00309 | false | |
| CVE-2025-48924 | 6.5 | commons-lang:commons-lang-2.6 | 0.00309 | false | ||
| CVE-2025-48924 | 6.5 | org.apache.commons:commons-lang3-3.16.0 | An application or library would need to not only use the API or one of its call sites but also allow for very long inputs for a class name. Alternatively, if the app or library accepts input from the user or a configuration file, the app stack may be vulnerable. | 0.00309 | false | |
| CVE-2025-48924 | 6.5 | org.apache.commons:commons-lang3-3.12.0 | An application or library would need to not only use the API or one of its call sites but also allow for very long inputs for a class name. Alternatively, if the app or library accepts input from the user or a configuration file, the app stack may be vulnerable. | 0.00309 | false | |
| CVE-2018-20200 | 5.9 | com.squareup.okhttp3:okhttp-3.10.0 | 0.00305 | false | ||
| CVE-2023-33201 | 5.3 | org.bouncycastle:bcprov-jdk15on-1.70 | 0.00289 | false | ||
| CVE-2023-33201 | 5.3 | org.bouncycastle:bcprov-ext-jdk15on-1.70 | 0.00289 | false | ||
| CVE-2023-33201 | 5.3 | org.bouncycastle:bcpkix-jdk15on-1.70 | 0.00289 | false | ||
| CVE-2022-24823 | 5.5 | io.netty:netty-common-4.1.22.Final | This vulnerability affects users only when an attacker gained the access to a local system user AND the Nettybased application didnt configure the file upload directory properly. | When creating a DefaultHttpDataFactory, call setBaseDir so that the uploaded filed are stored into the directory with secure permission. If you didnt specify a DefaultHttpDataFactory explicitly when instantiating HttpPostRequestDecoder or its subtypes, you need to create a new DefaultHttpDataFactory whose baseDir is set with the secure directory first and specify it when instantiating them. | 0.00285 | false |
| CVE-2022-42003 | 7.5 | com.fasterxml.jackson.core:jackson-databind-2.11.0 | Attacker will need to have high confidence that the feature is enabled and be familiar with the object structure of the Java class target it is not possible to generate general JSON document since target type varies by system. | 0.00278 | false | |
| CVE-2022-42003 | 7.5 | com.fasterxml.jackson.core:jackson-databind-2.9.8 | Attacker will need to have high confidence that the feature is enabled and be familiar with the object structure of the Java class target it is not possible to generate general JSON document since target type varies by system. | 0.00278 | false | |
| CVE-2022-42003 | 7.5 | com.fasterxml.jackson.core:jackson-databind-2.9.10.8 | Attacker will need to have high confidence that the feature is enabled and be familiar with the object structure of the Java class target it is not possible to generate general JSON document since target type varies by system. | 0.00278 | false | |
| CVE-2024-23076 | org.jfree:jfreechart-1.5.4 | 0.00271 | false | |||
| CVE-2024-23076 | org.jfree:jfreechart-1.0.19 | 0.00271 | false | |||
| CVE-2021-37136 | 7.5 | io.netty:netty-codec-4.1.22.Final | An attacker can easily trigger excessive memory usage of the vulnerable application by sending a bzip2compressed content thats deflated into a large amount of data. | A vulnerable user can stop using Bzip2Decoder and replace it with a custom decoder implementation without the vulnerability. | 0.00229 | false |
| CVE-2022-42004 | 7.5 | com.fasterxml.jackson.core:jackson-databind-2.11.0 | Attacker will need to have high confidence that the feature is enabled and be familiar with the object structure of the Java class target it is not possible to generate general JSON document since target type varies by system. | 0.00219 | false | |
| CVE-2022-42004 | 7.5 | com.fasterxml.jackson.core:jackson-databind-2.9.8 | Attacker will need to have high confidence that the feature is enabled and be familiar with the object structure of the Java class target it is not possible to generate general JSON document since target type varies by system. | 0.00219 | false | |
| CVE-2022-42004 | 7.5 | com.fasterxml.jackson.core:jackson-databind-2.9.10.8 | Attacker will need to have high confidence that the feature is enabled and be familiar with the object structure of the Java class target it is not possible to generate general JSON document since target type varies by system. | 0.00219 | false | |
| CVE-2023-1932 | 6.1 | org.hibernate:hibernate-validator-4.3.2.Final | 0.00215 | false | ||
| CVE-2024-47554 | 4.3 | commons-io:commons-io-2.11.0 | Either an application is using the class org.apache.commons.io.input.XmlStreamReader or it is not if the class is in use then attackers can craft malicious input to make the application vulnerable if that application accepts input to XmlStreamReader from the world at large. If an application can be relatively certain that its XmlStreamReader input can be trusted, the risk could be lowered from a vulnerability to a bug. | An application could mitigate this vulnerability by validating the input given to the class. | 0.00213 | false |
| CVE-2024-47554 | 4.3 | commons-io:commons-io-2.8.0 | Either an application is using the class org.apache.commons.io.input.XmlStreamReader or it is not if the class is in use then attackers can craft malicious input to make the application vulnerable if that application accepts input to XmlStreamReader from the world at large. If an application can be relatively certain that its XmlStreamReader input can be trusted, the risk could be lowered from a vulnerability to a bug. | An application could mitigate this vulnerability by validating the input given to the class. | 0.00213 | false |
| CVE-2024-47554 | 4.3 | commons-io:commons-io-2.13.0 | Either an application is using the class org.apache.commons.io.input.XmlStreamReader or it is not if the class is in use then attackers can craft malicious input to make the application vulnerable if that application accepts input to XmlStreamReader from the world at large. If an application can be relatively certain that its XmlStreamReader input can be trusted, the risk could be lowered from a vulnerability to a bug. | An application could mitigate this vulnerability by validating the input given to the class. | 0.00213 | false |
| CVE-2024-23077 | org.jfree:jfreechart-1.5.4 | 0.00186 | false | |||
| CVE-2024-23077 | org.jfree:jfreechart-1.0.19 | 0.00186 | false | |||
| CVE-2024-7254 | 8.7 | com.google.protobuf:protobuf-java-3.25.3 | 0.00171 | false | ||
| CVE-2021-37533 | 6.5 | commons-net:commons-net-3.8.0 | A malicious server can redirect the Commons Net code to use a different host, but the user has to connect to the malicious server in the first place. | 0.00162 | false | |
| CVE-2021-28168 | 6.2 | org.glassfish.jersey.core:jersey-common-2.4.1 | Reliance on default file permissions makes all users vulnerable. | This issue can be mitigated by manually setting the java.io.tmpdir system property when launching the JVM. | 0.00158 | false |
| CVE-2021-28168 | 6.2 | org.glassfish.jersey.core:jersey-common-2.22.2 | Reliance on default file permissions makes all users vulnerable. | This issue can be mitigated by manually setting the java.io.tmpdir system property when launching the JVM. | 0.00158 | false |
| CVE-2025-24970 | 7.5 | io.netty:netty-handler-4.1.100.Final | This is a critical vulnerability that can crash your application very easily, just by sending a crafted packet. Upgrade or workaround is highly recommended. | First option Disable native TLS support by removing the nettytcnative dependency or explicitly telling Netty not to use native TLS support. This may degrade your applications TLS performance.Second option Change the code fromSslContext context ...SslHandler handler context.newHandler....toSslContext context ...SSLEngine engine context.newEngine....SslHandler handler new SslHandlerengine, .... | 0.00156 | false |
| CVE-2024-23635 | 6.1 | org.owasp.antisamy:antisamy-1.7.3 | 0.00156 | false | ||
| CVE-2024-29857 | 7.5 | org.bouncycastle:bcprov-jdk15on-1.70 | 0.00155 | false | ||
| CVE-2025-5878 | 7.3 | org.owasp.esapi:esapi-2.5.2.0 | 0.00152 | false | ||
| CVE-2024-6763 | 3.7 | org.eclipse.jetty:jetty-http-9.4.57.v20241219 | If using the Jetty internal HttpURI as part of Jetty server and Jetty client you are not vulnerable.If using HttpURI in your application directly, then you are vulnerable if you use the results of HttpURI to apply filtering based on the given URI. | 0.00140 | false | |
| CVE-2021-43797 | 6.5 | io.netty:netty-codec-http-4.1.22.Final | This vulnerability affects all HTTP1 clients and servers written on top of Netty, triggered by a malicious HTTP1 requestresponse whose header names contains a control character. | 0.00139 | false | |
| CVE-2025-46392 | 2.7 | commons-configuration:commons-configuration-1.10 | 0.00117 | false | ||
| CVE-2024-23080 | joda-time:joda-time-2.12.5 | 0.00116 | false | |||
| CVE-2022-0839 | 9.8 | org.liquibase:liquibase-core-3.6.3 | 0.00115 | false | ||
| CVE-2025-25193 | 5.5 | io.netty:netty-common-4.1.22.Final | This vulnerability can be triggered only when an attacker already has the write access to the filesystem. In addition, an attacker must create the offending file in the filesystem before the application is started. Therefore, Id say the risk is fairly low. | 0.00113 | false | |
| CVE-2025-25193 | 5.5 | io.netty:netty-common-4.1.100.Final | This vulnerability can be triggered only when an attacker already has the write access to the filesystem. In addition, an attacker must create the offending file in the filesystem before the application is started. Therefore, Id say the risk is fairly low. | 0.00113 | false | |
| CVE-2024-30172 | 7.5 | org.bouncycastle:bcprov-jdk15on-1.70 | 0.00104 | false | ||
| CVE-2021-46877 | 7.5 | com.fasterxml.jackson.core:jackson-databind-2.11.0 | JsonNodes are rarely serializeddeserialized using JDK serialization. | 0.00097 | false | |
| CVE-2022-40160 | 6.5 | commons-jxpath:commons-jxpath-1.3 | 0.00089 | false | ||
| CVE-2022-40159 | 6.5 | commons-jxpath:commons-jxpath-1.3 | 0.00089 | false | ||
| CVE-2024-22949 | org.jfree:jfreechart-1.5.4 | 0.00083 | false | |||
| CVE-2024-22949 | org.jfree:jfreechart-1.0.19 | 0.00083 | false | |||
| CVE-2023-52070 | org.jfree:jfreechart-1.5.4 | 0.00079 | false | |||
| CVE-2023-52070 | org.jfree:jfreechart-1.0.19 | 0.00079 | false | |||
| CVE-2022-41854 | 6.5 | org.yaml:snakeyaml-1.33 | 0.00076 | false | ||
| CVE-2025-52999 | 8.7 | com.fasterxml.jackson.core:jackson-core-2.9.8 | Vulnerability exposed for many reading cases but not all but depends on databinding level calls, definitions if Java target classes used less likely to be applicable for tree model JsonNode always applicable. | 0.00069 | false | |
| CVE-2025-52999 | 8.7 | com.fasterxml.jackson.core:jackson-core-2.11.0 | Vulnerability exposed for many reading cases but not all but depends on databinding level calls, definitions if Java target classes used less likely to be applicable for tree model JsonNode always applicable. | 0.00069 | false | |
| CVE-2025-52999 | 8.7 | com.fasterxml.jackson.core:jackson-core-2.9.10 | Vulnerability exposed for many reading cases but not all but depends on databinding level calls, definitions if Java target classes used less likely to be applicable for tree model JsonNode always applicable. | 0.00069 | false | |
| CVE-2025-52999 | 8.7 | com.fasterxml.jackson.core:jackson-core-2.13.5 | Vulnerability exposed for many reading cases but not all but depends on databinding level calls, definitions if Java target classes used less likely to be applicable for tree model JsonNode always applicable. | 0.00069 | false | |
| CVE-2025-52999 | 8.7 | com.fasterxml.jackson.core:jackson-core-2.14.1 | Vulnerability exposed for many reading cases but not all but depends on databinding level calls, definitions if Java target classes used less likely to be applicable for tree model JsonNode always applicable. | 0.00069 | false | |
| CVE-2020-8908 | 3.3 | com.google.guava:guava-30.1-jre | 0.00067 | false | ||
| CVE-2020-8908 | 3.3 | com.google.guava:guava-31.1-jre | 0.00067 | false | ||
| CVE-2020-8908 | 3.3 | com.google.guava:guava-30.1.1-jre | 0.00067 | false | ||
| CVE-2023-33202 | 5.5 | org.bouncycastle:bcprov-jdk15on-1.70 | 0.00059 | false | ||
| CVE-2023-33202 | 5.5 | org.bouncycastle:bcprov-ext-jdk15on-1.70 | 0.00059 | false | ||
| CVE-2024-29025 | 5.3 | io.netty:netty-codec-http-4.1.22.Final | HttpPostRequestDecoder is vulnerable to this issue regardless of whether it is used as intended or not. | If HttpPostRequestDecoder is NOT used for handling file uploads, a user could limit the length of an HTTP POST request body to a small value, which will effectively reduce the theoretically possible maximum number of form fields a request body can contain. However, this workaround might not be feasible if a user needs to handle file uploads, which may not be possible to limit the request both length. | 0.00048 | false |
| CVE-2024-29025 | 5.3 | io.netty:netty-codec-http-4.1.100.Final | HttpPostRequestDecoder is vulnerable to this issue regardless of whether it is used as intended or not. | If HttpPostRequestDecoder is NOT used for handling file uploads, a user could limit the length of an HTTP POST request body to a small value, which will effectively reduce the theoretically possible maximum number of form fields a request body can contain. However, this workaround might not be feasible if a user needs to handle file uploads, which may not be possible to limit the request both length. | 0.00048 | false |
| CVE-2025-48976 | 8.7 | commons-fileupload:commons-fileupload-1.5 | If your application uses multipart headers and unless you set boundaries or accept the default partHeaderSizeMax 512 bytes with 2.0.0M4 or 1.6.0, an application might be vulnerable. | 0.00045 | false | |
| CVE-2024-30171 | 5.9 | org.bouncycastle:bcprov-jdk15on-1.70 | 0.00045 | false | ||
| CVE-2025-25247 | 6.1 | org.apache.felix:org.apache.felix.webconsole-4.8.10 | 0.00044 | false | ||
| CVE-2023-2976 | 7.1 | com.google.guava:guava-30.1-jre | 0.00042 | false | ||
| CVE-2023-2976 | 7.1 | com.google.guava:guava-31.1-jre | 0.00042 | false | ||
| CVE-2023-2976 | 7.1 | com.google.guava:guava-30.1.1-jre | 0.00042 | false | ||
| CVE-2023-0833 | 5.5 | com.squareup.okhttp3:okhttp-3.14.0 | 0.00036 | false | ||
| CVE-2023-0833 | 5.5 | com.squareup.okhttp3:okhttp-3.10.0 | 0.00036 | false | ||
| CVE-2024-57699 | 7.5 | net.minidev:json-smart-2.5.0 | 0.00032 | false | ||
| CVE-2024-23944 | 5.3 | org.apache.zookeeper:zookeeper-3.7.2 | 0.00028 | false | ||
| CVE-2024-47535 | 5.5 | io.netty:netty-common-4.1.22.Final | An attacker must acquire the privilege to override the content of system files such as etcresolv.conf and procsys. Given such powerful superuserlevel privilege, I would imagine the attacker will not waste their time to trigger OOME using this vulnerability. | 0.00027 | false | |
| CVE-2024-47535 | 5.5 | io.netty:netty-common-4.1.100.Final | An attacker must acquire the privilege to override the content of system files such as etcresolv.conf and procsys. Given such powerful superuserlevel privilege, I would imagine the attacker will not waste their time to trigger OOME using this vulnerability. | 0.00027 | false | |
| CVE-2023-35116 | 4.7 | com.fasterxml.jackson.core:jackson-databind-2.11.0 | 0.00015 | false | ||
| CVE-2023-35116 | 4.7 | com.fasterxml.jackson.core:jackson-databind-2.9.8 | 0.00015 | false | ||
| CVE-2023-35116 | 4.7 | com.fasterxml.jackson.core:jackson-databind-2.14.1 | 0.00015 | false | ||
| CVE-2023-35116 | 4.7 | com.fasterxml.jackson.core:jackson-databind-2.9.10.8 | 0.00015 | false | ||
| CVE-2023-35116 | 4.7 | com.fasterxml.jackson.core:jackson-databind-2.13.5 | 0.00015 | false | ||
| CVE-2020-36843 | 4.3 | net.i2p.crypto:eddsa-0.3.0 | 0.00013 | false | ||
| CVE-2020-25649 | 7.5 | com.fasterxml.jackson.core:jackson-databind-2.9.8 | As per applicability description affected usage would seem very rare it would only occur in cases where JSON content contains embedded XML values for a property AND that content is mapped to a DOM Element or Document value. | 0.00011 | false | |
| CVE-2025-49128 | 4.0 | com.fasterxml.jackson.core:jackson-core-2.9.8 | Vulnerability as described rather difficult to exploit even under best of conditions. | Included in description | 0.00005 | false |
| CVE-2025-49128 | 4.0 | com.fasterxml.jackson.core:jackson-core-2.11.0 | Vulnerability as described rather difficult to exploit even under best of conditions. | Included in description | 0.00005 | false |
| CVE-2025-49128 | 4.0 | com.fasterxml.jackson.core:jackson-core-2.9.10 | Vulnerability as described rather difficult to exploit even under best of conditions. | Included in description | 0.00005 | false |
Tasks
Contributor:
-
Provide justifications for findings in the VAT (docs) -
Apply the StatusVerification label to this issue and wait for feedback
Iron Bank:
-
Review findings and justifications
Note: If the above process is rejected for any reason, the
Verificationlabel will be removed and the issue will be sent back toOpen. Any comments will be listed in this issue for you to address. Once they have been addressed, you must re-add theVerificationlabel.
Questions?
Contact the Iron Bank team by commenting on this issue with your questions or concerns. If you do not receive a response, add /cc @ironbank-notifications/onboarding.
Additionally, Iron Bank hosts an AMA working session every Wednesday from 1630-1730EST to answer questions.