github.com/CycloneDX/sbom-utility@v0.16.0/examples/cyclonedx/usecases/cdx-use-case-vulnerability-exploitability.json (about) 1 { 2 "bomFormat": "CycloneDX", 3 "specVersion": "1.4", 4 "version": 1, 5 "vulnerabilities": [ 6 { 7 "id": "CVE-2018-7489", 8 "source": { 9 "name": "NVD", 10 "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-9997" 11 }, 12 "ratings": [ 13 { 14 "source": { 15 "name": "NVD", 16 "url": "https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H&version=3.0" 17 }, 18 "score": 9.8, 19 "severity": "critical", 20 "method": "CVSSv3", 21 "vector": "AN/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" 22 } 23 ], 24 "cwes": [ 25 184, 26 502 27 ], 28 "description": "FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.", 29 "recommendation": "Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.6.7.5, 2.8.11.1, 2.9.5 or higher.", 30 "advisories": [ 31 { 32 "title": "GitHub Commit", 33 "url": "https://github.com/FasterXML/jackson-databind/commit/6799f8f10cc78e9af6d443ed6982d00a13f2e7d2" 34 }, 35 { 36 "title": "GitHub Issue", 37 "url": "https://github.com/FasterXML/jackson-databind/issues/1931" 38 } 39 ], 40 "created": "2021-01-01T00:00:00.000Z", 41 "published": "2021-01-01T00:00:00.000Z", 42 "updated": "2021-01-01T00:00:00.000Z", 43 "analysis": { 44 "state": "not_affected", 45 "justification": "code_not_reachable", 46 "response": [ 47 "will_not_fix", 48 "update" 49 ], 50 "detail": "An optional explanation of why the application is not affected by the vulnerable component." 51 }, 52 "affects": [ 53 { 54 "ref": "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#jackson-databind-2.8.0" 55 } 56 ] 57 } 58 ] 59 }