Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Block one more gadget type (HikariCP, CVE-2019-14540)

See original GitHub issue

Another gadget (*) type report regarding HikariConfig, via HikariDataSource

Mitre id: CVE-2019-14540 Reporter: iSafeBlue / blue at ixsec.org

(*) See https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062 for more on general problem type

Fixed in:

2.9.10
2.8.11.5
2.6.7.3
does not affect 2.10.0 and later

Issue Analytics

State:
Created 4 years ago
Comments:8 (4 by maintainers)

Top GitHub Comments

4reactions

jordandevcommented, Sep 20, 2019

No 2.9.9.4 micro patch for this?

2reactions

cowtowncodercommented, Sep 20, 2019

Nope.

Top Results From Across the Web

Block one more gadget type (HikariCP, CVE-2019-14540)

Another gadget (*) type report regarding HikariConfig , via HikariDataSource. Mitre id: CVE-2019-14540. Reporter: iSafeBlue / blue at ixsec.

Security Bulletin: Multiple vulnerabilities in Data-Binding ... - IBM

A remote attacker could exploit this vulnerability to launch XML ... gadgets and typing in org.apache.hadoop.shaded.com.zaxxer.hikari.

Jackson-databind – remote code execution vulnerability

https://github.com/FasterXML/jackson-databind/issues/2410 Block one more gadget type (HikariCP, CVE-2019-14540).

RHSA-2020:3192 - Security Advisory - Red Hat Customer Portal

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score ......

CVE-2019-14540 - Vulners

CPE Name Name Version fasterxml:jackson‑databind fasterxml jackson‑databind 2.6.7.3 fasterxml:jackson‑databind fasterxml jackson‑databind 2.8.11.5 fasterxml:jackson‑databind fasterxml jackson‑databind 2.9.10