Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

Issues

Go to all issues
Select view

Select search mode

 
50 of 405

Fix security vulnerabilities reported in jackson-databind >= 2.0.0, < 2.9.9.2

Done

Description

Another day, another jackson-databind vulnerability?

2 com.fasterxml.jackson.core:jackson-databind vulnerabilities found in pom.xm 5 minutes ago

Remediation

Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.9.9.2 or later. For example:

Always verify the validity and compatibility of suggestions with your codebase.

Details

CVE-2019-14379

moderate severity

*Vulnerable versions:* < 2.9.9.2
*Patched version:* 2.9.9.2

SubTypeValidator.java in FasterXML jackson-databind before 2.9.9.2 mishandles default typing when ehcache is used, leading to remote code execution.

CVE-2019-14439

moderate severity

*Vulnerable versions:* < 2.9.9.2
*Patched version:* 2.9.9.2

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9.2. This occurs when Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the logback jar in the classpath.

CSP Request Details

None

CSP Rejection Details

None

Potential Workaround

None

Checklist

hide

TestRail: Results

Details

Assignee

Reporter

Labels

Priority

Story Points

Sprint

Development Team

Core: Platform

TestRail: Cases

Open TestRail: Cases

TestRail: Runs

Open TestRail: Runs
Created August 1, 2019 at 7:34 PM
Updated August 12, 2019 at 1:06 PM
Resolved August 2, 2019 at 4:16 PM
Configure

Activity

Show:

Hongwei Ji August 2, 2019 at 4:16 PM

Oops, I fixed it yesterday before seeing this ticket today.

Julian Ladisch August 2, 2019 at 4:13 PM

Hongwei Ji has merged the jackson-databind version bump to 2.9.9.2 to master:
https://github.com/folio-org/mod-login-saml/pull/48
We need a release of mod-login-saml if we want to deploy the fixed version.

Peter Murray August 1, 2019 at 7:36 PM

: Would you mind bumping the version here again?

TestRail: Cases
TestRail: Runs