[FOLIO-2205] Track security vulnerability fixes reported in jackson-databind >= 2.0.0, < 2.9.9.2 Created: 02/Aug/19 Updated: 03/Jun/20 Resolved: 27/Jan/20 |
|
| Status: | Closed |
| Project: | FOLIO |
| Components: | None |
| Affects versions: | None |
| Fix versions: | None |
| Type: | Umbrella | Priority: | TBD |
| Reporter: | Peter Murray | Assignee: | Unassigned |
| Resolution: | Done | Votes: | 0 |
| Labels: | security | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original estimate: | Not Specified | ||
| Issue links: |
|
||||||||||||||||||||||||||||||||||||||||||||||||
| Sprint: | |||||||||||||||||||||||||||||||||||||||||||||||||
| Description |
RemediationUpgrade com.fasterxml.jackson.core:jackson-databind to version 2.9.9.2 or later. For example: <dependency> <groupId>com.fasterxml.jackson.core</groupId> <artifactId>jackson-databind</artifactId> <version>[2.9.9.2,)</version> </dependency> Always verify the validity and compatibility of suggestions with your codebase. DetailsCVE-2019-14379moderate severity SubTypeValidator.java in FasterXML jackson-databind before 2.9.9.2 mishandles default typing when ehcache is used, leading to remote code execution. CVE-2019-14439moderate severity A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9.2. This occurs when Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the logback jar in the classpath. |
| Comments |
| Comment by Peter Murray [ 27/Jan/20 ] |
|
Blocking issues are closed. |