CVE-2019-14893 @ Maven-com.fasterxml.jackson.core:jackson-databind-2.8.9 #53
Comments
margaritalm
added
project:margaritalm/BookStore_Small_CLI_small
SCA
and removed
CxSCA
labels
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Checkmarx (SCA): Vulnerable Package
Vulnerability: Read More about CVE-2019-14893
Checkmarx Project: margaritalm/BookStore_Small_CLI_small
Repository URL: https://github.com/margaritalm/BookStore_Small_CLI_small
Branch: master
Scan ID: 79dde67e-447e-480d-9f9e-f0bfb2e3e6f8
A flaw was discovered in FasterXML jackson-databind in all versions before 2.6.7.3, 2.7.x before 2.7.9.7, 2.8.x before 2.8.11.5 and 2.9.x before 2.9.10, where it would permit polymorphic deserialization of malicious objects using the xalan JNDI gadget when used in conjunction with polymorphic type handling methods such as
enableDefaultTyping()or when @JsonTypeInfo is usingId.CLASSorId.MINIMAL_CLASSor in any other way which ObjectMapper.readValue might instantiate objects from unsafe sources. An attacker could use this flaw to execute arbitrary code.Additional Info
Attack vector: NETWORK
Attack complexity: LOW
Confidentiality impact: HIGH
Availability impact: HIGH
Remediation Upgrade Recommendation: 2.8.11.3-redhat-00001
The text was updated successfully, but these errors were encountered: