<!-- 
RSS generated by JIRA (1001.0.0-SNAPSHOT#100246-sha1:7a5c50119eb0633d306e14180817ddef5e80c75d) at Thu Feb 08 23:15:08 UTC 2024

It is possible to restrict the fields that are returned in this document by specifying the 'field' parameter in your request.
For example, to request only the issue key and summary add field=key&field=summary to the URL of your request.
-->
<rss version="0.92" >
<channel>
    <title>FOLIO Jira</title>
    <link>https://folio-org.atlassian.net</link>
    <description>This file is an XML representation of an issue</description>
    <language>en-us</language>    <build-info>
        <version>1001.0.0-SNAPSHOT</version>
        <build-number>100246</build-number>
        <build-date>07-02-2024</build-date>
    </build-info>

<item>
            <title>[FOLIO-1683] Security vulnerability reported in jackson-databind &gt;= 2.8.0, &lt; 2.8.11.3</title>
                <link>https://folio-org.atlassian.net/browse/FOLIO-1683</link>
                <project id="10290" key="FOLIO">FOLIO</project>
                    <description>&lt;h2&gt;&lt;a name=&quot;Remediation&quot;&gt;&lt;/a&gt;Remediation&lt;/h2&gt;

&lt;p&gt;Upgrade&#160;com.fasterxml.jackson.core:jackson-databind&#160;to version&#160;2.8.11.3&#160;or later. For example:&lt;/p&gt;

&lt;div class=&quot;code panel&quot; style=&quot;border-width: 1px;&quot;&gt;&lt;div class=&quot;codeContent panelContent&quot;&gt;
&lt;pre class=&quot;code-xml&quot;&gt;    
&lt;span class=&quot;code-tag&quot;&gt;&amp;lt;dependency&amp;gt;&lt;/span&gt;
 &lt;span class=&quot;code-tag&quot;&gt;&amp;lt;groupId&amp;gt;&lt;/span&gt;com.fasterxml.jackson.core&lt;span class=&quot;code-tag&quot;&gt;&amp;lt;/groupId&amp;gt;&lt;/span&gt;
 &lt;span class=&quot;code-tag&quot;&gt;&amp;lt;artifactId&amp;gt;&lt;/span&gt;jackson-databind&lt;span class=&quot;code-tag&quot;&gt;&amp;lt;/artifactId&amp;gt;&lt;/span&gt;
 &lt;span class=&quot;code-tag&quot;&gt;&amp;lt;version&amp;gt;&lt;/span&gt;[2.8.11.3,)&lt;span class=&quot;code-tag&quot;&gt;&amp;lt;/version&amp;gt;&lt;/span&gt;
&lt;span class=&quot;code-tag&quot;&gt;&amp;lt;/dependency&amp;gt;&lt;/span&gt;
&lt;/pre&gt;
&lt;/div&gt;&lt;/div&gt;

&lt;p&gt;Always verify the validity and compatibility of suggestions with your codebase.&lt;/p&gt;

&lt;h2&gt;&lt;a name=&quot;Details&quot;&gt;&lt;/a&gt;Details&lt;/h2&gt;

&lt;h3&gt;&lt;a name=&quot;CVE201819360%C2%A0Moreinformation%28https%3A%2F%2Fnvd.nist.gov%2Fvuln%2Fdetail%2FCVE201819360%29&quot;&gt;&lt;/a&gt;CVE-2018-19360&#160;&lt;span class=&quot;error&quot;&gt;&amp;#91;More information&amp;#93;&lt;/span&gt;(&lt;a href=&quot;https://nvd.nist.gov/vuln/detail/CVE-2018-19360&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;https://nvd.nist.gov/vuln/detail/CVE-2018-19360&lt;/a&gt;)&lt;/h3&gt;

&lt;p&gt;high severity&lt;/p&gt;

&lt;p&gt;*&lt;b&gt;Vulnerable versions:&lt;/b&gt;*&#160;&amp;gt;= 2.8.0, &amp;lt; 2.8.11.3&lt;/p&gt;

&lt;p&gt;*&lt;b&gt;Patched version:&lt;/b&gt;*&#160;2.8.11.3&lt;/p&gt;

&lt;p&gt;FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the axis2-transport-jms class from polymorphic deserialization.&lt;/p&gt;

&lt;h3&gt;&lt;a name=&quot;CVE201814720%C2%A0Moreinformation%28https%3A%2F%2Fnvd.nist.gov%2Fvuln%2Fdetail%2FCVE201814720%29&quot;&gt;&lt;/a&gt;CVE-2018-14720&#160;&lt;span class=&quot;error&quot;&gt;&amp;#91;More information&amp;#93;&lt;/span&gt;(&lt;a href=&quot;https://nvd.nist.gov/vuln/detail/CVE-2018-14720&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;https://nvd.nist.gov/vuln/detail/CVE-2018-14720&lt;/a&gt;)&lt;/h3&gt;

&lt;p&gt;high severity&lt;/p&gt;

&lt;p&gt;*&lt;b&gt;Vulnerable versions:&lt;/b&gt;*&#160;&amp;gt;= 2.8.0, &amp;lt; 2.8.11.3&lt;/p&gt;

&lt;p&gt;*&lt;b&gt;Patched version:&lt;/b&gt;*&#160;2.8.11.3&lt;/p&gt;

&lt;p&gt;FasterXML jackson-databind 2.x before 2.9.7 might allow attackers to conduct external XML entity (XXE) attacks by leveraging failure to block unspecified JDK classes from polymorphic deserialization.&lt;/p&gt;

&lt;h3&gt;&lt;a name=&quot;CVE201814719%C2%A0Moreinformation%28https%3A%2F%2Fnvd.nist.gov%2Fvuln%2Fdetail%2FCVE201814719%29&quot;&gt;&lt;/a&gt;CVE-2018-14719&#160;&lt;span class=&quot;error&quot;&gt;&amp;#91;More information&amp;#93;&lt;/span&gt;(&lt;a href=&quot;https://nvd.nist.gov/vuln/detail/CVE-2018-14719&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;https://nvd.nist.gov/vuln/detail/CVE-2018-14719&lt;/a&gt;)&lt;/h3&gt;

&lt;p&gt;high severity&lt;/p&gt;

&lt;p&gt;*&lt;b&gt;Vulnerable versions:&lt;/b&gt;*&#160;&amp;gt;= 2.8.0, &amp;lt; 2.8.11.3&lt;/p&gt;

&lt;p&gt;*&lt;b&gt;Patched version:&lt;/b&gt;*&#160;2.8.11.3&lt;/p&gt;

&lt;p&gt;FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the blaze-ds-opt and blaze-ds-core classes from polymorphic deserialization.&lt;/p&gt;

&lt;h3&gt;&lt;a name=&quot;CVE201814718%C2%A0Moreinformation%28https%3A%2F%2Fnvd.nist.gov%2Fvuln%2Fdetail%2FCVE201814718%29&quot;&gt;&lt;/a&gt;CVE-2018-14718&#160;&lt;span class=&quot;error&quot;&gt;&amp;#91;More information&amp;#93;&lt;/span&gt;(&lt;a href=&quot;https://nvd.nist.gov/vuln/detail/CVE-2018-14718&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;https://nvd.nist.gov/vuln/detail/CVE-2018-14718&lt;/a&gt;)&lt;/h3&gt;

&lt;p&gt;high severity&lt;/p&gt;

&lt;p&gt;*&lt;b&gt;Vulnerable versions:&lt;/b&gt;*&#160;&amp;gt;= 2.8.0, &amp;lt; 2.8.11.3&lt;/p&gt;

&lt;p&gt;*&lt;b&gt;Patched version:&lt;/b&gt;*&#160;2.8.11.3&lt;/p&gt;

&lt;p&gt;FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the slf4j-ext class from polymorphic deserialization.&lt;/p&gt;

&lt;h3&gt;&lt;a name=&quot;CVE201819362%C2%A0Moreinformation%28https%3A%2F%2Fnvd.nist.gov%2Fvuln%2Fdetail%2FCVE201819362%29&quot;&gt;&lt;/a&gt;CVE-2018-19362&#160;&lt;span class=&quot;error&quot;&gt;&amp;#91;More information&amp;#93;&lt;/span&gt;(&lt;a href=&quot;https://nvd.nist.gov/vuln/detail/CVE-2018-19362&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;https://nvd.nist.gov/vuln/detail/CVE-2018-19362&lt;/a&gt;)&lt;/h3&gt;

&lt;p&gt;high severity&lt;/p&gt;

&lt;p&gt;*&lt;b&gt;Vulnerable versions:&lt;/b&gt;*&#160;&amp;gt;= 2.8.0, &amp;lt; 2.8.11.3&lt;/p&gt;

&lt;p&gt;*&lt;b&gt;Patched version:&lt;/b&gt;*&#160;2.8.11.3&lt;/p&gt;

&lt;p&gt;FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the jboss-common-core class from polymorphic deserialization.&lt;/p&gt;

&lt;h3&gt;&lt;a name=&quot;CVE201819361%C2%A0Moreinformation%28https%3A%2F%2Fnvd.nist.gov%2Fvuln%2Fdetail%2FCVE201819361%29&quot;&gt;&lt;/a&gt;CVE-2018-19361&#160;&lt;span class=&quot;error&quot;&gt;&amp;#91;More information&amp;#93;&lt;/span&gt;(&lt;a href=&quot;https://nvd.nist.gov/vuln/detail/CVE-2018-19361&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;https://nvd.nist.gov/vuln/detail/CVE-2018-19361&lt;/a&gt;)&lt;/h3&gt;

&lt;p&gt;high severity&lt;/p&gt;

&lt;p&gt;*&lt;b&gt;Vulnerable versions:&lt;/b&gt;*&#160;&amp;gt;= 2.8.0, &amp;lt; 2.8.11.3&lt;/p&gt;

&lt;p&gt;*&lt;b&gt;Patched version:&lt;/b&gt;*&#160;2.8.11.3&lt;/p&gt;

&lt;p&gt;FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the openjpa class from polymorphic deserialization.&lt;/p&gt;

&lt;h3&gt;&lt;a name=&quot;CVE201814721%C2%A0Moreinformation%28https%3A%2F%2Fnvd.nist.gov%2Fvuln%2Fdetail%2FCVE201814721%29&quot;&gt;&lt;/a&gt;CVE-2018-14721&#160;&lt;span class=&quot;error&quot;&gt;&amp;#91;More information&amp;#93;&lt;/span&gt;(&lt;a href=&quot;https://nvd.nist.gov/vuln/detail/CVE-2018-14721&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;https://nvd.nist.gov/vuln/detail/CVE-2018-14721&lt;/a&gt;)&lt;/h3&gt;

&lt;p&gt;high severity&lt;/p&gt;

&lt;p&gt;*&lt;b&gt;Vulnerable versions:&lt;/b&gt;*&#160;&amp;gt;= 2.8.0, &amp;lt; 2.8.11.3&lt;/p&gt;

&lt;p&gt;*&lt;b&gt;Patched version:&lt;/b&gt;*&#160;2.8.11.3&lt;/p&gt;

&lt;p&gt;FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct server-side request forgery (SSRF) attacks by leveraging failure to block the axis2-jaxws class from polymorphic deserialization.&lt;/p&gt;</description>
                <environment></environment>
        <key id="80976">FOLIO-1683</key>
            <summary>Security vulnerability reported in jackson-databind &gt;= 2.8.0, &lt; 2.8.11.3</summary>
                <type id="10006" iconUrl="https://folio-org.atlassian.net/rest/api/2/universal_avatar/view/type/issuetype/avatar/10307?size=medium">Umbrella</type>
                                            <priority id="10002" iconUrl="https://dev.folio.org/assets/jira-priority/jira-p3.svg">P3</priority>
                        <status id="6" iconUrl="https://folio-org.atlassian.net/images/icons/statuses/closed.png" description="The issue is considered finished, the resolution is correct. Issues which are closed can be reopened.">Closed</status>
                    <statusCategory id="3" key="done" colorName="green"/>
                                    <resolution id="10003">Done</resolution>
                                                        <assignee accountid="-1">Unassigned</assignee>
                                                                <reporter accountid="5ced27478b03050f27825a93">Peter Murray</reporter>
                                    <labels>
                            <label>security</label>
                    </labels>
                <created>Fri, 4 Jan 2019 21:10:40 +0000</created>
                <updated>Wed, 3 Jun 2020 16:39:21 +0000</updated>
                            <resolved>Wed, 9 Jan 2019 18:54:27 +0000</resolved>
                                                                        <due></due>
                            <votes>0</votes>
                                    <watches>1</watches>
                                                                <comments>
                                                            <comment id="193569" author="5ced27478b03050f27825a93" created="Wed, 9 Jan 2019 18:54:27 +0000"  >&lt;p&gt;All reported modules are fixed.&lt;/p&gt;</comment>
                    </comments>
                <issuelinks>
                            <issuelinktype id="10000">
                    <name>Blocks</name>
                                                                <inwardlinks description="is blocked by">
                                        <issuelink>
            <issuekey id="75610">MODCAL-28</issuekey>
        </issuelink>
            <issuelink>
            <issuekey id="75863">MODPWD-14</issuekey>
        </issuelink>
            <issuelink>
            <issuekey id="63048">MODSOURCE-21</issuekey>
        </issuelink>
            <issuelink>
            <issuekey id="57609">MODSOURMAN-51</issuekey>
        </issuelink>
            <issuelink>
            <issuekey id="76697">MODTEMPENG-10</issuekey>
        </issuelink>
                            </inwardlinks>
                                    </issuelinktype>
                            <issuelinktype id="10003">
                    <name>Relates</name>
                                            <outwardlinks description="relates to">
                                        <issuelink>
            <issuekey id="80950">FOLIO-1580</issuekey>
        </issuelink>
            <issuelink>
            <issuekey id="80975">FOLIO-1682</issuekey>
        </issuelink>
                            </outwardlinks>
                                                        </issuelinktype>
                    </issuelinks>
                <attachments>
                    </attachments>
                <subtasks>
                    </subtasks>
                <customfields>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_10000" key="com.atlassian.jira.plugins.jira-development-integration-plugin:devsummarycf">
                        <customfieldname>Development</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_10019" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>0|hzzajj:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_10020" key="com.pyxis.greenhopper.jira:gh-sprint">
                        <customfieldname>Sprint</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_10025" key="com.atlassian.jira.ext.charting:timeinstatus">
                        <customfieldname>[CHART] Time in Status</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                    </customfields>
    </item>
</channel>
</rss>