Skip to content

Fix potential security vulnerabilities com.fasterxml.jackson.core:jackson-databind #14

New issue
New issue
Closed
Closed
Fix potential security vulnerabilities com.fasterxml.jackson.core:jackson-databind#14
Assignees
dikhan
@dikhan

Description

@dikhan
dikhan
opened on Apr 19, 2019

Update jackson-databind artifact version to 2.8.11.1 as suggested by GitHub after finding potential security vulnerabilities:

Remediation
Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.8.11.1 or later. For example:

<dependency>
  <groupId>com.fasterxml.jackson.core</groupId>
  <artifactId>jackson-databind</artifactId>
  <version>[2.8.11.1,)</version>
</dependency>

Details:

CVE-2017-17485 (high severity)
Vulnerable versions: < 2.8.11
Patched version: 2.8.11
FasterXML jackson-databind through 2.8.10 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the Spring libraries are available in the classpath.

CVE-2017-15095 (high severity)
Vulnerable versions: < 2.8.11
Patched version: 2.8.11
A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525 by blacklisting more classes that could be used maliciously.

CVE-2018-7489 (high severity)
Vulnerable versions: < 2.8.11.1
Patched version: 2.8.11.1
FasterXML jackson-databind before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.

CVE-2017-7525 (high severity)
Vulnerable versions: >= 2.8.0, < 2.8.9
Patched version: 2.8.9
A deserialization flaw was discovered in the jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper.

Activity

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Assignees

Labels

No labels
No labels

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions