Block two more gadgets to exploit default typing issue (c3p0, CVE-2018-7489)
See original GitHub issueFrom an email report there are 2 other c3p0 classes (above and beyond ones listed in #1737) need to be blocked.
EDIT 21-Jun-2021: Fix included in:
2.9.5
2.8.11.1
2.7.9.3
2.6.7.5
Issue Analytics
- State:
- Created 6 years ago
- Comments:15 (10 by maintainers)
Top Results From Across the Web
11 - Fasterxml Jackson-databind : List of security vulnerabilities
# CVE ID CWE ID Vulnerability Type(s) Publish Date Update Date Score Gaine...
1 CVE‑2019‑14893 502 Exec Code 2020‑03‑02 2021‑03‑16 7.5 None
2 CVE‑2019‑14892 502...
Read more >Deserialization of Untrusted Data in jackson-databind - Vulners
FasterXML jackson-databind 2.x before 2.9.8 might allow attackers ... The issue was resolved by extending\nthe blacklist and blocking more ...
Read more >CVE - Search Results - MITRE
CVE-2021-33813, An XXE issue in SAXBuilder in JDOM through 2.0.6 allows ... FasterXML mishandles the interaction between serialization gadgets and typing.
Read more >On Jackson CVEs: Don't Panic — Here is what you need to ...
Jackson 2.10 supports new “Safe Default Typing” via ... does not (yet) block “gadget” class in question (set of published exploits grows ...
Read more >Jackson - 7hang - 博客园
CVE-2018-7489. Block two more gadgets to exploit default typing issue. CVE-2018-5968 #1872 `NullPointerException` in `SubTypeValidator.
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
Hi! Any estimates for a 2.9.5 release? Thanks!
Hi FasterXML Team , As new vulnerability CVE-2018-7489 is reported and we are using jackson-databind 2.9.4 version which is now vulnerable. Please confirm us when we can get full new release like 2.9.5 or patch fix in v2.9.4.1 which will help to get rid of this vulnerability.
-thanks Dharmendra