Block yet another gadget type (jdom, CVE-2019-12814)
See original GitHub issueSimilar to other polymorphic types with no limits, but for XXE with jdom2.jar
, tracked as CVE-2019-12814
.
See https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062 for description of the general problem.
Fixed in:
- 2.9.10
- 2.8.11.4
- 2.7.9.6
- 2.6.7.3
Issue Analytics
- State:
- Created 4 years ago
- Reactions:1
- Comments:35 (5 by maintainers)
Top Results From Across the Web
CVE-2019-12814 - Vulners
When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has JDOM...
Read more >Security Bulletin: IBM Disconnected Log Collector is ...
DESCRIPTION: A lacking of certain net.sf.ehcache blocking in FasterXML ... caused by an unsafe deserialization in com.caucho.config.types.
Read more >Fasterxml Jackson-databind version * : Security vulnerabilities
# CVE ID CWE ID Publish Date Update Date Score Gained Access Level Access
1 CVE‑2022‑42004 502 2022‑10‑02 2022‑11‑27 0.0 None ???
2 CVE‑2022‑42003 502...
Read more >Mageia alert MGASA-2021-0153 (jackson-databind) - LWN.net
When Default Typing is enabled (either globally or for a specific property) for ... gadgets and typing, related to com.caucho.config.types.
Read more >Search Results - CVE
An application is vulnerable only with certain customized choices for ... between serialization gadgets and typing, related to com.caucho.config.types.
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
When can we expect a
2.9.9.1
release?@asbachb
2.9.9.1
vs2.9.10
comes down to whether I think spending lots of time (full2.9.10
) to get every component is warranted vs spending less time to release onlyjackson-databind
.I am back for couple of days now, but flying out again in 2 days. I may have time to release databind
2.9.9.1
for everyone desperate to get that version.