Uploaded image for project: 'JBeret'
  1. JBeret
  2. JBERET-484

Upgrade com.fasterxml.jackson.core:jackson-databind 2.9.8 to 2.10.0 to address security vulnerability

    Details

    • Type: Task
    • Status: Resolved (View Workflow)
    • Priority: Major
    • Resolution: Done
    • Affects Version/s: 1.4.0.Alpha1
    • Fix Version/s: 1.4.0.Beta1
    • Component/s: other
    • Labels:
      None

      Description

      Known moderate severity security vulnerability detected in com.fasterxml.jackson.core:jackson-databind >= 2.0.0, < 2.9.9 defined in pom.xml.
      pom.xml update suggested: com.fasterxml.jackson.core:jackson-databind ~> 2.9.9.

      Remediation
      Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.9.9 or later. For example:

      <dependency>
      <groupId>com.fasterxml.jackson.core</groupId>
      <artifactId>jackson-databind</artifactId>
      <version>[2.9.9,)</version>
      </dependency>

      CVE-2019-12086 More information
      moderate severity
      Vulnerable versions: >= 2.0.0, < 2.9.9
      Patched version: 2.9.9
      A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint, the service has the mysql-connector-java jar (8.0.14 or earlier) in the classpath, and an attacker can host a crafted MySQL server reachable by the victim, an attacker can send a crafted JSON message that allows them to read arbitrary local files on the server. This occurs because of missing com.mysql.cj.jdbc.admin.MiniAdmin validation.

      com.fasterxml.jackson.core:jackson-databind in Maven central:
      https://search.maven.org/artifact/com.fasterxml.jackson.core/jackson-databind/2.9.9/bundle

        Gliffy Diagrams

          Attachments

            Activity

              People

              • Assignee:
                cfang Cheng Fang
                Reporter:
                cfang Cheng Fang
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: