Dependency-Check is an open source tool performing a best effort analysis of 3rd party dependencies; false positives and false negatives may exist in the analysis performed by the tool. Use of the tool and the reporting provided constitutes acceptance for use in an AS IS condition, and there are NO warranties, implied or otherwise, with regard to the analysis or its use. Any use of the tool and the reporting provided is at the user’s risk. In no event shall the copyright holder or OWASP be held liable for any damages whatsoever arising out of or in connection with the use of this tool, the analysis performed, or the resulting report.
Summary of Vulnerable Dependencies (click to show all)
Description:
This project provides base classes, types and methods
License:
Apache License Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.htmlFile Path: /home/runner/.m2/repository/org/bedework/bw-base/2.0.0/bw-base-2.0.0.jar
Description:
Basic support for json objects and types
License:
Apache License Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.htmlFile Path: /home/runner/.m2/repository/org/bedework/bw-json/2.0.0/bw-json-2.0.0.jar
Description:
This project provides logging utility classes and methods
License:
Apache License Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.htmlFile Path: /home/runner/.m2/repository/org/bedework/bw-util-logging/6.0.0/bw-util-logging-6.0.0.jar
Description:
This project provides a number of utility classes and methods
License:
Apache License Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.htmlFile Path: /home/runner/.m2/repository/org/bedework/bw-util-misc/6.0.1/bw-util-misc-6.0.1.jar
Description:
Apache Commons Lang, a package of Java utility classes for the classes that are in java.lang's hierarchy, or are considered to be so standard as to justify existence in java.lang. The code is tested using the latest revision of the JDK for supported LTS releases: 8, 11, 17 and 21 currently. See https://github.com/apache/commons-lang/blob/master/.github/workflows/maven.yml Please ensure your build environment is up-to-date and kindly report any build issues.
License:
https://www.apache.org/licenses/LICENSE-2.0.txtFile Path: /home/runner/.m2/repository/org/apache/commons/commons-lang3/3.18.0/commons-lang3-3.18.0.jar
Description:
Apache Commons Text is a set of utility functions and reusable components for processing
and manipulating text in a Java environment.
License:
https://www.apache.org/licenses/LICENSE-2.0.txtFile Path: /home/runner/.m2/repository/org/apache/commons/commons-text/1.14.0/commons-text-1.14.0.jar
Description:
Core Jackson processing abstractions (aka Streaming API), implementation for JSON
License:
The Apache Software License, Version 2.0: https://www.apache.org/licenses/LICENSE-2.0.txtFile Path: /home/runner/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.18.2/jackson-core-2.18.2.jar
Description:
General data-binding functionality for Jackson: works on core streaming API
License:
The Apache Software License, Version 2.0: https://www.apache.org/licenses/LICENSE-2.0.txtFile Path: /home/runner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.18.2/jackson-databind-2.18.2.jar
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.10.0 until 2.18.8, 2.21.4, and 3.1.4, jackson-databind's PolymorphicTypeValidator (PTV) is the primary safety mechanism guarding polymorphic deserialization. When polymorphic typing is enabled and a type identifier contains generic parameters (i.e. the type ID string contains <), DatabindContext._resolveAndValidateGeneric() validates only the raw container class name (the substring before <) against the configured PTV. If the container type is approved, the method parses the full canonical type string via TypeFactory.constructFromCanonical() and returns the fully parameterized type without ever validating the nested type arguments against the PTV. The nested type arguments are then resolved, instantiated, and populated as beans during deserialization. An attacker who controls the type ID can therefore place a denied class as a generic type parameter of an allowed container — for example java.util.ArrayList<com.evil.Gadget> when only java.util.ArrayList is allow-listed. The container passes the PTV check; com.evil.Gadget is loaded via Class.forName(name, true, loader), instantiated, and its properties are set from attacker-controlled JSON. This completely bypasses an explicitly configured PTV allow-list. This vulnerability is fixed in 2.18.8, 2.21.4, and 3.1.4.CWE-502 Deserialization of Untrusted Data, CWE-184 Incomplete List of Disallowed Inputs
Vulnerable Software & Versions: (show all)
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.10.0 until 2.18.8, 2.21.4, and 3.1.4, BasicPolymorphicTypeValidator.Builder.allowIfSubTypeIsArray() allowlists any array type based only on clazz.isArray(), without validating the array's component (element) type against the configured allowlist. A PTV built with allowIfSubTypeIsArray() plus an explicit concrete-type allowlist therefore still permits EvilType[] even though EvilType is not allowlisted. When Jackson deserializes the elements and no per-element type IDs are present, it instantiates the component type directly with no further PTV check, bypassing the allowlist. This vulnerability is fixed in 2.18.8, 2.21.4, and 3.1.4.CWE-184 Incomplete List of Disallowed Inputs
Vulnerable Software & Versions: (show all)
CVE-2026-54515 (OSSINDEX)
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.8.0 until 2.18.9, 2.21.5, and 3.1.4, in BeanDeserializerBase.createContextual(), per-property @JsonIgnoreProperties exclusions are applied by _handleByNameInclusion(), producing a contextual deserializer whose BeanPropertyMap has the ignored properties removed. The subsequent per-property case-insensitivity block (triggered by @JsonFormat(ACCEPT_CASE_INSENSITIVE_PROPERTIES)) rebuilds from this._beanProperties (the original, unfiltered map) instead of contextual._beanProperties, then overwrites the filtered map — restoring every property _handleByNameInclusion had just removed. The ignored property becomes writable again. This vulnerability is fixed in 2.18.9, 2.21.5, and 3.1.4. Sonatype's research suggests that this CVE's details differ from those defined at NVD. See https://guide.sonatype.com/vulnerability/CVE-2026-54515 for detailsCWE-915 Improperly Controlled Modification of Dynamically-Determined Object Attributes
Vulnerable Software & Versions (OSSINDEX):
CVE-2026-54518 (OSSINDEX)
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.21.0 until 2.21.4 and 3.1.4, UnwrappedPropertyHandler.processUnwrappedCreatorProperties() replays buffered JSON into creator parameters but never consults prop.visibleInView(activeView). The normal property-based creator path gates creator properties on the active view, but this unwrapped-creator replay path bypasses that check, so a constructor parameter annotated with both @JsonView(AdminView.class) and @JsonUnwrapped is populated from attacker JSON even when a more restrictive view is active. This vulnerability is fixed in 2.21.4 and 3.1.4. Sonatype's research suggests that this CVE's details differ from those defined at NVD. See https://guide.sonatype.com/vulnerability/CVE-2026-54518 for detailsCWE-863 Incorrect Authorization
Vulnerable Software & Versions (OSSINDEX):
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.0.0 until 2.18.8, 2.21.4, and 3.1.4, JDKFromStringDeserializer constructed InetSocketAddress with new InetSocketAddress(host, port), which performs eager DNS name resolution for hostname inputs at deserialization time. An application that binds untrusted JSON into a type containing an InetSocketAddress field issues an attacker-chosen DNS query during readValue, before any application-level validation or connect logic. The fix uses InetSocketAddress.createUnresolved(host, port), deferring DNS to an explicit connect. This vulnerability is fixed in 2.18.8, 2.21.4, and 3.1.4.CWE-918 Server-Side Request Forgery (SSRF)
Vulnerable Software & Versions: (show all)