Block one more gadget type (shaded-hikari-config, CVE-2020-9546)
See original GitHub issue(note: placeholder until verified/validated, fix provided)
Another gadget type reported regarding a class of [TO BE ADDED]. See https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062 for description of the general problem.
Mitre id: CVE-2020-9546 Reporters: threedr3am & LFY
Fix will be included in:
- 2.9.10.4
- 2.8.11.6 (
jackson-bom
version2.8.11.20200310
) - 2.7.9.7
- Does not affect 2.10.0 and later
Issue Analytics
- State:
- Created 4 years ago
- Comments:8 (4 by maintainers)
Top Results From Across the Web
CVE-2020-9546 | Vulnerability Database - Debricked
jackson-databind mishandles the interaction between serialization gadgets and ... Block one more gadget type (shaded-hikari-config, CVE-2020-9546) · Issue ...
Read more >Security Bulletin: Multiple vulnerabilities in Data-Binding ... - IBM
A remote attacker could exploit this vulnerability to launch XML external entity (XXE) attacks to have impact over data integrity.
Read more >Oracle WebLogic: CVE-2020-9546 : Critical Patch Update
With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what...
Read more >CVE-2020-9546 - Vulners
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.hadoop ...
Read more >RHSA-2020:3642 - Security Advisory - Red Hat Customer Portal
An update is now available for Red Hat JBoss Enterprise Application ... Serialization gadgets in shaded-hikari-config (CVE-2020-9546) ...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
@lobozhu yes, I will do that when I have time to release it. At this point, it won’t be until next weekend, likely, since there is one more open report to handle.
@gonfva-bcl Open different issue for what? No need wrt making 2.9.10.4 release – it is delayed partly because there has been recent flood of submissions, not because release is forgotten. There are for now 7 additions, this included. 2 are work in progress wrt cve id.
I also try to focus hard on getting 2.11.0.rc1 out ASAP since there is not much value in updating block lists like here – researchers will find more, from all tens of thousands of OSS libraries, with diminishing return (since actual vulnerabilities only affect small subset of users, both wrt default typing being minority option and existence of specific jar in classpath).
I was hoping to get 2.9.10.4 released over the weekend but that did not happen. Next ETA would be next weekend, i.e in 5 days.