Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

Fix security vulnerabilities reported in jackson-databind >= 2.0.0, < 2.9.9.2

Description

Remediation

Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.9.9.2 or later. For example:

Always verify the validity and compatibility of suggestions with your codebase.

Details

CVE-2019-14379

moderate severity

*Vulnerable versions:* < 2.9.9.2
*Patched version:* 2.9.9.2

SubTypeValidator.java in FasterXML jackson-databind before 2.9.9.2 mishandles default typing when ehcache is used, leading to remote code execution.

CVE-2019-14439

moderate severity

*Vulnerable versions:* < 2.9.9.2
*Patched version:* 2.9.9.2

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9.2. This occurs when Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the logback jar in the classpath.

CSP Request Details

None

CSP Rejection Details

None

Potential Workaround

None

Checklist

hide

TestRail: Results

Activity

Show:

Peter Murray August 2, 2019 at 1:19 PM

cc : FYI, for prioritization into the backlog. (Sorry about all of the alerts this morning.)

Done

Details

Assignee

Reporter

Labels

Priority

Story Points

Sprint

Development Team

Vega

Fix versions

TestRail: Cases

Open TestRail: Cases

TestRail: Runs

Open TestRail: Runs

Created August 2, 2019 at 1:19 PM
Updated August 2, 2019 at 3:01 PM
Resolved August 2, 2019 at 2:31 PM
TestRail: Cases
TestRail: Runs