Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Block two more gadgets to exploit default typing issue (c3p0, CVE-2018-7489)

See original GitHub issue

From an email report there are 2 other c3p0 classes (above and beyond ones listed in #1737) need to be blocked.

EDIT 21-Jun-2021: Fix included in:

  • 2.9.5
  • 2.8.11.1
  • 2.7.9.3
  • 2.6.7.5

Issue Analytics

  • State:closed
  • Created 6 years ago
  • Comments:15 (10 by maintainers)

github_iconTop GitHub Comments

14reactions
aiannuccicommented, Mar 20, 2018

Hi! Any estimates for a 2.9.5 release? Thanks!

3reactions
DKumarscommented, Mar 26, 2018

Hi FasterXML Team , As new vulnerability CVE-2018-7489 is reported and we are using jackson-databind 2.9.4 version which is now vulnerable. Please confirm us when we can get full new release like 2.9.5 or patch fix in v2.9.4.1 which will help to get rid of this vulnerability.

-thanks Dharmendra

Read more comments on GitHub >

github_iconTop Results From Across the Web

11 - Fasterxml Jackson-databind : List of security vulnerabilities
# CVE ID CWE ID Vulnerability Type(s) Publish Date Update Date Score Gaine... 1 CVE‑2019‑14893 502 Exec Code 2020‑03‑02 2021‑03‑16 7.5 None 2 CVE‑2019‑14892 502...
Read more >
Deserialization of Untrusted Data in jackson-databind - Vulners
FasterXML jackson-databind 2.x before 2.9.8 might allow attackers ... The issue was resolved by extending\nthe blacklist and blocking more ...
Read more >
CVE - Search Results - MITRE
CVE-2021-33813, An XXE issue in SAXBuilder in JDOM through 2.0.6 allows ... FasterXML mishandles the interaction between serialization gadgets and typing.
Read more >
On Jackson CVEs: Don't Panic — Here is what you need to ...
Jackson 2.10 supports new “Safe Default Typing” via ... does not (yet) block “gadget” class in question (set of published exploits grows ...
Read more >
Jackson - 7hang - 博客园
CVE-2018-7489. Block two more gadgets to exploit default typing issue. CVE-2018-5968 #1872 `NullPointerException` in `SubTypeValidator.
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

JsonInclude.ALWAYS not honored by ObjectMapper.convertValue(...)

Next page

When deserializing, `JsonProperty.Access.READ_ONLY` not working in all cases