Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

Fix security vulnerabilities reported in jackson-databind >= 2.0.0, < 2.9.9.1

Description

Remediation

Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.9.9.1 or later. For example:

<dependency> <groupId>com.fasterxml.jackson.core</groupId> <artifactId>jackson-databind</artifactId> <version>[2.9.9.1,)</version> </dependency>

Always verify the validity and compatibility of suggestions with your codebase.

Details

CVE-2019-12814
moderate severity
*Vulnerable versions:* >= 2.0.0, < 2.9.9.1
*Patched version:* 2.9.9.1

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x through 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has JDOM 1.x or 2.x jar in the classpath, an attacker can send a specifically crafted JSON message that allows them to read arbitrary local files on the server.

CSP Request Details

None

CSP Rejection Details

None

Potential Workaround

None

Checklist

hide

TestRail: Results

Activity

Show:

Peter Murray September 10, 2019 at 1:14 PM

Superseded by another jackson-databind error in https://folio-org.atlassian.net/browse/MODCXMUX-54#icft=MODCXMUX-54.

Julian Ladisch July 31, 2019 at 1:09 PM

The jackson-databind version bump to 2.9.9.1 has been merged to master: https://github.com/folio-org/mod-codex-mux/pull/67
We need a release of mod-codex-mux if we want to deploy the fixed version.

Peter Murray July 30, 2019 at 5:35 PM

: Could you assign the development team and sprint to get this into a developer backlog, please?

Duplicate

Details

Assignee

Reporter

Labels

Priority

TestRail: Cases

Open TestRail: Cases

TestRail: Runs

Open TestRail: Runs
Created July 30, 2019 at 5:34 PM
Updated September 10, 2019 at 1:14 PM
Resolved September 10, 2019 at 1:14 PM
Configure
TestRail: Cases
TestRail: Runs