From 390ab6a3f04598fba7ffe9df5f25d12de66d0541 Mon Sep 17 00:00:00 2001 From: stschott Date: Fri, 6 Sep 2024 15:53:04 +0200 Subject: [PATCH] add fix-commits to 39 jackson-databind CVEs --- statements/CVE-2017-15095/statement.yaml | 5 +++++ statements/CVE-2018-14718/statement.yaml | 5 +++++ statements/CVE-2018-14719/statement.yaml | 5 +++++ statements/CVE-2018-14720/statement.yaml | 5 +++++ statements/CVE-2018-14721/statement.yaml | 5 +++++ statements/CVE-2018-19360/statement.yaml | 5 +++++ statements/CVE-2018-19361/statement.yaml | 5 +++++ statements/CVE-2018-19362/statement.yaml | 5 +++++ statements/CVE-2019-12086/statement.yaml | 5 +++++ statements/CVE-2019-12384/statement.yaml | 5 +++++ statements/CVE-2019-12814/statement.yaml | 5 +++++ statements/CVE-2019-14379/statement.yaml | 5 +++++ statements/CVE-2019-14439/statement.yaml | 5 +++++ statements/CVE-2019-14892/statement.yaml | 9 +++++++++ statements/CVE-2019-14893/statement.yaml | 5 +++++ statements/CVE-2019-16942/statement.yaml | 9 +++++++++ statements/CVE-2019-16943/statement.yaml | 9 +++++++++ statements/CVE-2019-17267/statement.yaml | 5 +++++ statements/CVE-2019-17531/statement.yaml | 5 +++++ statements/CVE-2019-20330/statement.yaml | 5 +++++ statements/CVE-2020-10650/statement.yaml | 5 +++++ statements/CVE-2020-10672/statement.yaml | 5 +++++ statements/CVE-2020-10968/statement.yaml | 5 +++++ statements/CVE-2020-10969/statement.yaml | 5 +++++ statements/CVE-2020-11111/statement.yaml | 5 +++++ statements/CVE-2020-11112/statement.yaml | 5 +++++ statements/CVE-2020-11113/statement.yaml | 5 +++++ statements/CVE-2020-11619/statement.yaml | 5 +++++ statements/CVE-2020-11620/statement.yaml | 5 +++++ statements/CVE-2020-14060/statement.yaml | 5 +++++ statements/CVE-2020-14061/statement.yaml | 5 +++++ statements/CVE-2020-14062/statement.yaml | 5 +++++ statements/CVE-2020-14195/statement.yaml | 5 +++++ statements/CVE-2020-24616/statement.yaml | 5 +++++ statements/CVE-2020-24750/statement.yaml | 5 +++++ statements/CVE-2020-8840/statement.yaml | 5 +++++ statements/CVE-2020-9546/statement.yaml | 5 +++++ statements/CVE-2020-9547/statement.yaml | 5 +++++ statements/CVE-2020-9548/statement.yaml | 5 +++++ 39 files changed, 207 insertions(+) diff --git a/statements/CVE-2017-15095/statement.yaml b/statements/CVE-2017-15095/statement.yaml index cb67c472e..6db6a1dae 100644 --- a/statements/CVE-2017-15095/statement.yaml +++ b/statements/CVE-2017-15095/statement.yaml @@ -1,6 +1,11 @@ vulnerability_id: CVE-2017-15095 notes: - text: A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525 by blacklisting more classes that could be used maliciously. +fixes: +- id: DEFAULT_BRANCH + commits: + - id: ddfddfba6414adbecaff99684ef66eebd3a92e92 + repository: https://github.com/FasterXML/jackson-databind artifacts: - id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.8.11 reason: Reviewed manually diff --git a/statements/CVE-2018-14718/statement.yaml b/statements/CVE-2018-14718/statement.yaml index fc80df584..d7df2c64b 100644 --- a/statements/CVE-2018-14718/statement.yaml +++ b/statements/CVE-2018-14718/statement.yaml @@ -1,6 +1,11 @@ vulnerability_id: CVE-2018-14718 notes: - text: FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the slf4j-ext class from polymorphic deserialization. +fixes: +- id: DEFAULT_BRANCH + commits: + - id: 87d29af25e82a249ea15858e2d4ecbf64091db44 + repository: https://github.com/FasterXML/jackson-databind artifacts: - id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.1.1 reason: Reviewed manually diff --git a/statements/CVE-2018-14719/statement.yaml b/statements/CVE-2018-14719/statement.yaml index 7ba732ef5..45eb9766b 100644 --- a/statements/CVE-2018-14719/statement.yaml +++ b/statements/CVE-2018-14719/statement.yaml @@ -1,6 +1,11 @@ vulnerability_id: CVE-2018-14719 notes: - text: FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the blaze-ds-opt and blaze-ds-core classes from polymorphic deserialization. +fixes: +- id: DEFAULT_BRANCH + commits: + - id: 87d29af25e82a249ea15858e2d4ecbf64091db44 + repository: https://github.com/FasterXML/jackson-databind artifacts: - id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.1.1 reason: Reviewed manually diff --git a/statements/CVE-2018-14720/statement.yaml b/statements/CVE-2018-14720/statement.yaml index e3a338871..90f98bc85 100644 --- a/statements/CVE-2018-14720/statement.yaml +++ b/statements/CVE-2018-14720/statement.yaml @@ -1,6 +1,11 @@ vulnerability_id: CVE-2018-14720 notes: - text: FasterXML jackson-databind 2.x before 2.9.7 might allow attackers to conduct external XML entity (XXE) attacks by leveraging failure to block unspecified JDK classes from polymorphic deserialization. +fixes: +- id: DEFAULT_BRANCH + commits: + - id: 87d29af25e82a249ea15858e2d4ecbf64091db44 + repository: https://github.com/FasterXML/jackson-databind artifacts: - id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.1.1 reason: Reviewed manually diff --git a/statements/CVE-2018-14721/statement.yaml b/statements/CVE-2018-14721/statement.yaml index 47c736184..7a88047a4 100644 --- a/statements/CVE-2018-14721/statement.yaml +++ b/statements/CVE-2018-14721/statement.yaml @@ -1,6 +1,11 @@ vulnerability_id: CVE-2018-14721 notes: - text: FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct server-side request forgery (SSRF) attacks by leveraging failure to block the axis2-jaxws class from polymorphic deserialization. +fixes: +- id: DEFAULT_BRANCH + commits: + - id: 87d29af25e82a249ea15858e2d4ecbf64091db44 + repository: https://github.com/FasterXML/jackson-databind artifacts: - id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.1.1 reason: Reviewed manually diff --git a/statements/CVE-2018-19360/statement.yaml b/statements/CVE-2018-19360/statement.yaml index 530aec70e..a1ef375bc 100644 --- a/statements/CVE-2018-19360/statement.yaml +++ b/statements/CVE-2018-19360/statement.yaml @@ -1,6 +1,11 @@ vulnerability_id: CVE-2018-19360 notes: - text: FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the axis2-transport-jms class from polymorphic deserialization. +fixes: +- id: DEFAULT_BRANCH + commits: + - id: 72cd4025a229fb28ec133235003dd4616f70afaa + repository: https://github.com/FasterXML/jackson-databind artifacts: - id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.5.1 reason: Reviewed manually diff --git a/statements/CVE-2018-19361/statement.yaml b/statements/CVE-2018-19361/statement.yaml index 86f2808b1..8fdebdf68 100644 --- a/statements/CVE-2018-19361/statement.yaml +++ b/statements/CVE-2018-19361/statement.yaml @@ -1,6 +1,11 @@ vulnerability_id: CVE-2018-19361 notes: - text: FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the openjpa class from polymorphic deserialization. +fixes: +- id: DEFAULT_BRANCH + commits: + - id: 72cd4025a229fb28ec133235003dd4616f70afaa + repository: https://github.com/FasterXML/jackson-databind artifacts: - id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.8.11 reason: Reviewed manually diff --git a/statements/CVE-2018-19362/statement.yaml b/statements/CVE-2018-19362/statement.yaml index 43fbbabeb..d76b53ea7 100644 --- a/statements/CVE-2018-19362/statement.yaml +++ b/statements/CVE-2018-19362/statement.yaml @@ -1,6 +1,11 @@ vulnerability_id: CVE-2018-19362 notes: - text: FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the jboss-common-core class from polymorphic deserialization. +fixes: +- id: DEFAULT_BRANCH + commits: + - id: 72cd4025a229fb28ec133235003dd4616f70afaa + repository: https://github.com/FasterXML/jackson-databind artifacts: - id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.8.11 reason: Reviewed manually diff --git a/statements/CVE-2019-12086/statement.yaml b/statements/CVE-2019-12086/statement.yaml index 05b85c2d3..d06f58956 100644 --- a/statements/CVE-2019-12086/statement.yaml +++ b/statements/CVE-2019-12086/statement.yaml @@ -1,6 +1,11 @@ vulnerability_id: CVE-2019-12086 notes: - text: A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint, the service has the mysql-connector-java jar (8.0.14 or earlier) in the classpath, and an attacker can host a crafted MySQL server reachable by the victim, an attacker can send a crafted JSON message that allows them to read arbitrary local files on the server. This occurs because of missing com.mysql.cj.jdbc.admin.MiniAdmin validation. +fixes: +- id: DEFAULT_BRANCH + commits: + - id: dda513bd7251b4f32b7b60b1c13740e3b5a43024 + repository: https://github.com/FasterXML/jackson-databind artifacts: - id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.7.0 reason: Reviewed manually diff --git a/statements/CVE-2019-12384/statement.yaml b/statements/CVE-2019-12384/statement.yaml index 16471dc35..f2e39e131 100644 --- a/statements/CVE-2019-12384/statement.yaml +++ b/statements/CVE-2019-12384/statement.yaml @@ -1,6 +1,11 @@ vulnerability_id: CVE-2019-12384 notes: - text: FasterXML jackson-databind 2.x before 2.9.9.1 might allow attackers to have a variety of impacts by leveraging failure to block the logback-core class from polymorphic deserialization. Depending on the classpath content, remote code execution may be possible. +fixes: +- id: DEFAULT_BRANCH + commits: + - id: c9ef4a10d6f6633cf470d6a469514b68fa2be234 + repository: https://github.com/FasterXML/jackson-databind artifacts: - id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.1.1 reason: Reviewed manually diff --git a/statements/CVE-2019-12814/statement.yaml b/statements/CVE-2019-12814/statement.yaml index 9d83032e5..70d7edd15 100644 --- a/statements/CVE-2019-12814/statement.yaml +++ b/statements/CVE-2019-12814/statement.yaml @@ -1,6 +1,11 @@ vulnerability_id: CVE-2019-12814 notes: - text: A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x through 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has JDOM 1.x or 2.x jar in the classpath, an attacker can send a specifically crafted JSON message that allows them to read arbitrary local files on the server. +fixes: +- id: DEFAULT_BRANCH + commits: + - id: 5f7c69bba07a7155adde130d9dee2e54a54f1fa5 + repository: https://github.com/FasterXML/jackson-databind artifacts: - id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.1.1 reason: Reviewed manually diff --git a/statements/CVE-2019-14379/statement.yaml b/statements/CVE-2019-14379/statement.yaml index 7f34be72c..52e77a279 100644 --- a/statements/CVE-2019-14379/statement.yaml +++ b/statements/CVE-2019-14379/statement.yaml @@ -1,6 +1,11 @@ vulnerability_id: CVE-2019-14379 notes: - text: SubTypeValidator.java in FasterXML jackson-databind before 2.9.9.2 mishandles default typing when ehcache is used (because of net.sf.ehcache.transaction.manager.DefaultTransactionManagerLookup), leading to remote code execution. +fixes: +- id: DEFAULT_BRANCH + commits: + - id: ad418eeb974e357f2797aef64aa0e3ffaaa6125b + repository: https://github.com/FasterXML/jackson-databind artifacts: - id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.7.0 reason: Reviewed manually diff --git a/statements/CVE-2019-14439/statement.yaml b/statements/CVE-2019-14439/statement.yaml index 6ea11c345..0a9b7c346 100644 --- a/statements/CVE-2019-14439/statement.yaml +++ b/statements/CVE-2019-14439/statement.yaml @@ -1,6 +1,11 @@ vulnerability_id: CVE-2019-14439 notes: - text: A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9.2. This occurs when Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the logback jar in the classpath. +fixes: +- id: DEFAULT_BRANCH + commits: + - id: ad418eeb974e357f2797aef64aa0e3ffaaa6125b + repository: https://github.com/FasterXML/jackson-databind artifacts: - id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.7.0 reason: Reviewed manually diff --git a/statements/CVE-2019-14892/statement.yaml b/statements/CVE-2019-14892/statement.yaml index 65346b7e9..79503cad5 100644 --- a/statements/CVE-2019-14892/statement.yaml +++ b/statements/CVE-2019-14892/statement.yaml @@ -1,6 +1,15 @@ vulnerability_id: CVE-2019-14892 notes: - text: A flaw was discovered in jackson-databind in versions before 2.9.10, 2.8.11.5 and 2.6.7.3, where it would permit polymorphic deserialization of a malicious object using commons-configuration 1 and 2 JNDI classes. An attacker could use this flaw to execute arbitrary code. +fixes: +- id: DEFAULT_BRANCH + commits: + - id: 41b7f9b90149e9d44a65a8261a8deedc7186f6af + repository: https://github.com/FasterXML/jackson-databind + - id: 819cdbcab51c6da9fb896380f2d46e9b7d4fdc3b + repository: https://github.com/FasterXML/jackson-databind + - id: 335db543d45f21ffd0ecf3df8da52eb501a0f087 + repository: https://github.com/FasterXML/jackson-databind artifacts: - id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.8.11 reason: Reviewed manually diff --git a/statements/CVE-2019-14893/statement.yaml b/statements/CVE-2019-14893/statement.yaml index 1040b22a2..c6f8e4e82 100644 --- a/statements/CVE-2019-14893/statement.yaml +++ b/statements/CVE-2019-14893/statement.yaml @@ -1,6 +1,11 @@ vulnerability_id: CVE-2019-14893 notes: - text: A flaw was discovered in FasterXML jackson-databind in all versions before 2.9.10 and 2.10.0, where it would permit polymorphic deserialization of malicious objects using the xalan JNDI gadget when used in conjunction with polymorphic type handling methods such as `enableDefaultTyping()` or when @JsonTypeInfo is using `Id.CLASS` or `Id.MINIMAL_CLASS` or in any other way which ObjectMapper.readValue might instantiate objects from unsafe sources. An attacker could use this flaw to execute arbitrary code. +fixes: +- id: DEFAULT_BRANCH + commits: + - id: 998efd708284778f29d83d7962a9bd935c228317 + repository: https://github.com/FasterXML/jackson-databind artifacts: - id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.8.11 reason: Reviewed manually diff --git a/statements/CVE-2019-16942/statement.yaml b/statements/CVE-2019-16942/statement.yaml index b38200d71..c97c0f110 100644 --- a/statements/CVE-2019-16942/statement.yaml +++ b/statements/CVE-2019-16942/statement.yaml @@ -1,6 +1,15 @@ vulnerability_id: CVE-2019-16942 notes: - text: A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the commons-dbcp (1.4) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of org.apache.commons.dbcp.datasources.SharedPoolDataSource and org.apache.commons.dbcp.datasources.PerUserPoolDataSource mishandling. +fixes: +- id: DEFAULT_BRANCH + commits: + - id: 9593e16cf5a3d289a9c584f7123639655de9ddac + repository: https://github.com/FasterXML/jackson-databind + - id: 328a0f833daf6baa443ac3b37c818a0204714b0b + repository: https://github.com/FasterXML/jackson-databind + - id: 54aa38d87dcffa5ccc23e64922e9536c82c1b9c8 + repository: https://github.com/FasterXML/jackson-databind artifacts: - id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.1.1 reason: Reviewed manually diff --git a/statements/CVE-2019-16943/statement.yaml b/statements/CVE-2019-16943/statement.yaml index 472d184be..3a321d99c 100644 --- a/statements/CVE-2019-16943/statement.yaml +++ b/statements/CVE-2019-16943/statement.yaml @@ -1,6 +1,15 @@ vulnerability_id: CVE-2019-16943 notes: - text: A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the p6spy (3.8.6) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of com.p6spy.engine.spy.P6DataSource mishandling. +fixes: +- id: DEFAULT_BRANCH + commits: + - id: 9593e16cf5a3d289a9c584f7123639655de9ddac + repository: https://github.com/FasterXML/jackson-databind + - id: 328a0f833daf6baa443ac3b37c818a0204714b0b + repository: https://github.com/FasterXML/jackson-databind + - id: 54aa38d87dcffa5ccc23e64922e9536c82c1b9c8 + repository: https://github.com/FasterXML/jackson-databind artifacts: - id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.1.1 reason: Reviewed manually diff --git a/statements/CVE-2019-17267/statement.yaml b/statements/CVE-2019-17267/statement.yaml index 5d4a75448..a3da6fee6 100644 --- a/statements/CVE-2019-17267/statement.yaml +++ b/statements/CVE-2019-17267/statement.yaml @@ -1,6 +1,11 @@ vulnerability_id: CVE-2019-17267 notes: - text: A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup. +fixes: +- id: DEFAULT_BRANCH + commits: + - id: 191a4cdf87b56d2ddddb77edd895ee756b7f75eb + repository: https://github.com/FasterXML/jackson-databind artifacts: - id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.1.1 reason: Reviewed manually diff --git a/statements/CVE-2019-17531/statement.yaml b/statements/CVE-2019-17531/statement.yaml index 9945e874f..c4ea278a8 100644 --- a/statements/CVE-2019-17531/statement.yaml +++ b/statements/CVE-2019-17531/statement.yaml @@ -1,6 +1,11 @@ vulnerability_id: CVE-2019-17531 notes: - text: A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the apache-log4j-extra (version 1.2.x) jar in the classpath, and an attacker can provide a JNDI service to access, it is possible to make the service execute a malicious payload. +fixes: +- id: DEFAULT_BRANCH + commits: + - id: b5a304a98590b6bb766134f9261e6566dcbbb6d0 + repository: https://github.com/FasterXML/jackson-databind artifacts: - id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.1.1 reason: Reviewed manually diff --git a/statements/CVE-2019-20330/statement.yaml b/statements/CVE-2019-20330/statement.yaml index b595905cf..d82da96a9 100644 --- a/statements/CVE-2019-20330/statement.yaml +++ b/statements/CVE-2019-20330/statement.yaml @@ -1,6 +1,11 @@ vulnerability_id: CVE-2019-20330 notes: - text: FasterXML jackson-databind 2.x before 2.9.10.2 lacks certain net.sf.ehcache blocking. +fixes: +- id: DEFAULT_BRANCH + commits: + - id: fc4214a883dc087070f25da738ef0d49c2f3387e + repository: https://github.com/FasterXML/jackson-databind artifacts: - id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.1.1 reason: Reviewed manually diff --git a/statements/CVE-2020-10650/statement.yaml b/statements/CVE-2020-10650/statement.yaml index d48e1841c..34d90213c 100644 --- a/statements/CVE-2020-10650/statement.yaml +++ b/statements/CVE-2020-10650/statement.yaml @@ -1,6 +1,11 @@ vulnerability_id: CVE-2020-10650 notes: - text: "" +fixes: +- id: DEFAULT_BRANCH + commits: + - id: a424c038ba0c0d65e579e22001dec925902ac0ef + repository: https://github.com/FasterXML/jackson-databind artifacts: - id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.7.0 reason: Reviewed manually diff --git a/statements/CVE-2020-10672/statement.yaml b/statements/CVE-2020-10672/statement.yaml index 67eafb001..8f30465d7 100644 --- a/statements/CVE-2020-10672/statement.yaml +++ b/statements/CVE-2020-10672/statement.yaml @@ -1,6 +1,11 @@ vulnerability_id: CVE-2020-10672 notes: - text: FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.aries.transaction.jms.internal.XaPooledConnectionFactory (aka aries.transaction.jms). +fixes: +- id: DEFAULT_BRANCH + commits: + - id: 592872f4235c7f2a3280725278da55544032f72d + repository: https://github.com/FasterXML/jackson-databind artifacts: - id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.7.0 reason: Reviewed manually diff --git a/statements/CVE-2020-10968/statement.yaml b/statements/CVE-2020-10968/statement.yaml index 2e0c4987e..240753c1e 100644 --- a/statements/CVE-2020-10968/statement.yaml +++ b/statements/CVE-2020-10968/statement.yaml @@ -1,6 +1,11 @@ vulnerability_id: CVE-2020-10968 notes: - text: FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.aoju.bus.proxy.provider.remoting.RmiProvider (aka bus-proxy). +fixes: +- id: DEFAULT_BRANCH + commits: + - id: 05d7e0e13f43e12db6a51726df12c8b4d8040676 + repository: https://github.com/FasterXML/jackson-databind artifacts: - id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.7.0 reason: Reviewed manually diff --git a/statements/CVE-2020-10969/statement.yaml b/statements/CVE-2020-10969/statement.yaml index 18ed61837..71234eb72 100644 --- a/statements/CVE-2020-10969/statement.yaml +++ b/statements/CVE-2020-10969/statement.yaml @@ -1,6 +1,11 @@ vulnerability_id: CVE-2020-10969 notes: - text: FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to javax.swing.JEditorPane. +fixes: +- id: DEFAULT_BRANCH + commits: + - id: 4d038c9de0aa80a5dae27f552a975cb39cc42b60 + repository: https://github.com/FasterXML/jackson-databind artifacts: - id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.7.0 reason: Reviewed manually diff --git a/statements/CVE-2020-11111/statement.yaml b/statements/CVE-2020-11111/statement.yaml index 1fc55a69f..10c2c87ab 100644 --- a/statements/CVE-2020-11111/statement.yaml +++ b/statements/CVE-2020-11111/statement.yaml @@ -1,6 +1,11 @@ vulnerability_id: CVE-2020-11111 notes: - text: FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.activemq.* (aka activemq-jms, activemq-core, activemq-pool, and activemq-pool-jms). +fixes: +- id: DEFAULT_BRANCH + commits: + - id: 05d7e0e13f43e12db6a51726df12c8b4d8040676 + repository: https://github.com/FasterXML/jackson-databind artifacts: - id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.7.0 reason: Reviewed manually diff --git a/statements/CVE-2020-11112/statement.yaml b/statements/CVE-2020-11112/statement.yaml index 1b012a271..e39c4b843 100644 --- a/statements/CVE-2020-11112/statement.yaml +++ b/statements/CVE-2020-11112/statement.yaml @@ -1,6 +1,11 @@ vulnerability_id: CVE-2020-11112 notes: - text: FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.proxy.provider.remoting.RmiProvider (aka apache/commons-proxy). +fixes: +- id: DEFAULT_BRANCH + commits: + - id: 05d7e0e13f43e12db6a51726df12c8b4d8040676 + repository: https://github.com/FasterXML/jackson-databind artifacts: - id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.7.0 reason: Reviewed manually diff --git a/statements/CVE-2020-11113/statement.yaml b/statements/CVE-2020-11113/statement.yaml index 9db211e42..944d5fa8b 100644 --- a/statements/CVE-2020-11113/statement.yaml +++ b/statements/CVE-2020-11113/statement.yaml @@ -1,6 +1,11 @@ vulnerability_id: CVE-2020-11113 notes: - text: FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.openjpa.ee.WASRegistryManagedRuntime (aka openjpa). +fixes: +- id: DEFAULT_BRANCH + commits: + - id: e2ba12d5d60715d95105e3e790fc234cfb59893d + repository: https://github.com/FasterXML/jackson-databind artifacts: - id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.7.0 reason: Reviewed manually diff --git a/statements/CVE-2020-11619/statement.yaml b/statements/CVE-2020-11619/statement.yaml index 3095ee752..b8cacc675 100644 --- a/statements/CVE-2020-11619/statement.yaml +++ b/statements/CVE-2020-11619/statement.yaml @@ -1,6 +1,11 @@ vulnerability_id: CVE-2020-11619 notes: - text: FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.springframework.aop.config.MethodLocatingFactoryBean (aka spring-aop). +fixes: +- id: DEFAULT_BRANCH + commits: + - id: 113e89fb08b1b6b072d60b3e4737ed407c13db9a + repository: https://github.com/FasterXML/jackson-databind artifacts: - id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.1 reason: Reviewed manually diff --git a/statements/CVE-2020-11620/statement.yaml b/statements/CVE-2020-11620/statement.yaml index 0382cbed5..dac80aec9 100644 --- a/statements/CVE-2020-11620/statement.yaml +++ b/statements/CVE-2020-11620/statement.yaml @@ -1,6 +1,11 @@ vulnerability_id: CVE-2020-11620 notes: - text: FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.jelly.impl.Embedded (aka commons-jelly). +fixes: +- id: DEFAULT_BRANCH + commits: + - id: 77040d85e3eb6710508e6445640ae1a3d5e60c22 + repository: https://github.com/FasterXML/jackson-databind artifacts: - id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.1 reason: Reviewed manually diff --git a/statements/CVE-2020-14060/statement.yaml b/statements/CVE-2020-14060/statement.yaml index e5864de8d..66c6c4e5a 100644 --- a/statements/CVE-2020-14060/statement.yaml +++ b/statements/CVE-2020-14060/statement.yaml @@ -1,6 +1,11 @@ vulnerability_id: CVE-2020-14060 notes: - text: FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.xalan.lib.sql.JNDIConnectionPool (aka apache/drill). +fixes: +- id: DEFAULT_BRANCH + commits: + - id: d1c67a0396e84c08d0558fbb843b5bd1f26e1921 + repository: https://github.com/FasterXML/jackson-databind artifacts: - id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.10.0.pr3 reason: Reviewed manually diff --git a/statements/CVE-2020-14061/statement.yaml b/statements/CVE-2020-14061/statement.yaml index 47563600c..5b0c3543f 100644 --- a/statements/CVE-2020-14061/statement.yaml +++ b/statements/CVE-2020-14061/statement.yaml @@ -1,6 +1,11 @@ vulnerability_id: CVE-2020-14061 notes: - text: FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oracle.jms.AQjmsQueueConnectionFactory, oracle.jms.AQjmsXATopicConnectionFactory, oracle.jms.AQjmsTopicConnectionFactory, oracle.jms.AQjmsXAQueueConnectionFactory, and oracle.jms.AQjmsXAConnectionFactory (aka weblogic/oracle-aqjms). +fixes: +- id: DEFAULT_BRANCH + commits: + - id: 5c8642aeae9c756b438ab7637c90ef3c77966e6e + repository: https://github.com/FasterXML/jackson-databind artifacts: - id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.10.0.pr3 reason: Reviewed manually diff --git a/statements/CVE-2020-14062/statement.yaml b/statements/CVE-2020-14062/statement.yaml index 5bad0e586..ab2fca9fb 100644 --- a/statements/CVE-2020-14062/statement.yaml +++ b/statements/CVE-2020-14062/statement.yaml @@ -1,6 +1,11 @@ vulnerability_id: CVE-2020-14062 notes: - text: FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to com.sun.org.apache.xalan.internal.lib.sql.JNDIConnectionPool (aka xalan2). +fixes: +- id: DEFAULT_BRANCH + commits: + - id: 840eae2ca81c597a0010b2126f32dce17d384b70 + repository: https://github.com/FasterXML/jackson-databind artifacts: - id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.10.0.pr3 reason: Reviewed manually diff --git a/statements/CVE-2020-14195/statement.yaml b/statements/CVE-2020-14195/statement.yaml index b2e8c9ffc..d80bc6ec2 100644 --- a/statements/CVE-2020-14195/statement.yaml +++ b/statements/CVE-2020-14195/statement.yaml @@ -1,6 +1,11 @@ vulnerability_id: CVE-2020-14195 notes: - text: FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to org.jsecurity.realm.jndi.JndiRealmFactory (aka org.jsecurity). +fixes: +- id: DEFAULT_BRANCH + commits: + - id: f6d9c664f6d481703138319f6a0f1fdbddb3a259 + repository: https://github.com/FasterXML/jackson-databind artifacts: - id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.10.0.pr3 reason: Reviewed manually diff --git a/statements/CVE-2020-24616/statement.yaml b/statements/CVE-2020-24616/statement.yaml index 6902fc1f2..878706e93 100644 --- a/statements/CVE-2020-24616/statement.yaml +++ b/statements/CVE-2020-24616/statement.yaml @@ -1,6 +1,11 @@ vulnerability_id: CVE-2020-24616 notes: - text: FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPDataSource (aka Anteros-DBCP). +fixes: +- id: DEFAULT_BRANCH + commits: + - id: 3d97153944f7de9c19c1b3637b33d3cf1fbbe4d7 + repository: https://github.com/FasterXML/jackson-databind artifacts: - id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.1.1 reason: Reviewed manually diff --git a/statements/CVE-2020-24750/statement.yaml b/statements/CVE-2020-24750/statement.yaml index ea3e9cc15..1ea4f0da1 100644 --- a/statements/CVE-2020-24750/statement.yaml +++ b/statements/CVE-2020-24750/statement.yaml @@ -1,6 +1,11 @@ vulnerability_id: CVE-2020-24750 notes: - text: FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to com.pastdev.httpcomponents.configuration.JndiConfiguration. +fixes: +- id: DEFAULT_BRANCH + commits: + - id: 6cc9f1a1af323cd156f5668a47e43bab324ae16f + repository: https://github.com/FasterXML/jackson-databind artifacts: - id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.7.0 reason: Reviewed manually diff --git a/statements/CVE-2020-8840/statement.yaml b/statements/CVE-2020-8840/statement.yaml index c13364716..e9c060933 100644 --- a/statements/CVE-2020-8840/statement.yaml +++ b/statements/CVE-2020-8840/statement.yaml @@ -1,6 +1,11 @@ vulnerability_id: CVE-2020-8840 notes: - text: FasterXML jackson-databind 2.0.0 through 2.9.10.2 lacks certain xbean-reflect/JNDI blocking, as demonstrated by org.apache.xbean.propertyeditor.JndiConverter. +fixes: +- id: DEFAULT_BRANCH + commits: + - id: 914e7c9f2cb8ce66724bf26a72adc7e958992497 + repository: https://github.com/FasterXML/jackson-databind artifacts: - id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.8.11 reason: Reviewed manually diff --git a/statements/CVE-2020-9546/statement.yaml b/statements/CVE-2020-9546/statement.yaml index 2a78cd723..09e3f3d21 100644 --- a/statements/CVE-2020-9546/statement.yaml +++ b/statements/CVE-2020-9546/statement.yaml @@ -1,6 +1,11 @@ vulnerability_id: CVE-2020-9546 notes: - text: FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig (aka shaded hikari-config). +fixes: +- id: DEFAULT_BRANCH + commits: + - id: 9f4e97019fb0dd836533d0b6198c88787e235ae2 + repository: https://github.com/FasterXML/jackson-databind artifacts: - id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.1.1 reason: Reviewed manually diff --git a/statements/CVE-2020-9547/statement.yaml b/statements/CVE-2020-9547/statement.yaml index 1ecba9b61..f2bce34f2 100644 --- a/statements/CVE-2020-9547/statement.yaml +++ b/statements/CVE-2020-9547/statement.yaml @@ -1,6 +1,11 @@ vulnerability_id: CVE-2020-9547 notes: - text: FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig (aka ibatis-sqlmap). +fixes: +- id: DEFAULT_BRANCH + commits: + - id: 9f4e97019fb0dd836533d0b6198c88787e235ae2 + repository: https://github.com/FasterXML/jackson-databind artifacts: - id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.1.1 reason: Reviewed manually diff --git a/statements/CVE-2020-9548/statement.yaml b/statements/CVE-2020-9548/statement.yaml index 9078d47ef..94f6058fe 100644 --- a/statements/CVE-2020-9548/statement.yaml +++ b/statements/CVE-2020-9548/statement.yaml @@ -1,6 +1,11 @@ vulnerability_id: CVE-2020-9548 notes: - text: FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPConfig (aka anteros-core). +fixes: +- id: DEFAULT_BRANCH + commits: + - id: 9f4e97019fb0dd836533d0b6198c88787e235ae2 + repository: https://github.com/FasterXML/jackson-databind artifacts: - id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.1.1 reason: Reviewed manually