Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Block yet another gadget type (jdom, CVE-2019-12814)

See original GitHub issue

Similar to other polymorphic types with no limits, but for XXE with jdom2.jar, tracked as CVE-2019-12814.

See https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062 for description of the general problem.

Fixed in:

2.9.10
2.8.11.4
2.7.9.6
2.6.7.3

Issue Analytics

State:
Created 4 years ago
Reactions:1
Comments:35 (5 by maintainers)

Top GitHub Comments

47reactions

anthonymonoricommented, Jun 21, 2019

When can we expect a 2.9.9.1 release?

15reactions

cowtowncodercommented, Jul 1, 2019

@asbachb 2.9.9.1 vs 2.9.10 comes down to whether I think spending lots of time (full 2.9.10) to get every component is warranted vs spending less time to release only jackson-databind.

I am back for couple of days now, but flying out again in 2 days. I may have time to release databind 2.9.9.1 for everyone desperate to get that version.

Top Results From Across the Web

CVE-2019-12814 - Vulners

When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has JDOM...

Security Bulletin: IBM Disconnected Log Collector is ...

DESCRIPTION: A lacking of certain net.sf.ehcache blocking in FasterXML ... caused by an unsafe deserialization in com.caucho.config.types.

Fasterxml Jackson-databind version * : Security vulnerabilities

# CVE ID CWE ID Publish Date Update Date Score Gained Access Level Access 1 CVE‑2022‑42004 502 2022‑10‑02 2022‑11‑27 0.0 None ??? 2 CVE‑2022‑42003 502...

Mageia alert MGASA-2021-0153 (jackson-databind) - LWN.net

When Default Typing is enabled (either globally or for a specific property) for ... gadgets and typing, related to com.caucho.config.types.

Search Results - CVE

An application is vulnerable only with certain customized choices for ... between serialization gadgets and typing, related to com.caucho.config.types.