Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

False positive: CVE-2017-17485 detected for fixed Jackson-databind

See original GitHub issue

jackson-databind-2.7.9.2

False positive on library jackson-databind-2.7.9.2.jar - reported as cpe:/a:fasterxml:jackson:2.7.9.2, cpe:/a:fasterxml:jackson-databind:2.7.9.2, com.fasterxml.jackson.core:jackson-databind:2.7.9.2

<dependency>
    <groupId>com.fasterxml.jackson.core</groupId>
    <artifactId>jackson-databind</artifactId>
    <version>2.7.9.2</version>
</dependency>

The CVE-2017-17485 vulnerability is fixed in:

  • Jackson-databind version 2.9.3.1
  • Jackson-databind version 2.7.9.2
  • Jackson-databind version 2.8.11

https://blog.nsfocusglobal.com/threats/vulnerability-analysis/jackson-databind-rce-vulnerability-handling-guide-cve-2017-17485/

Issue Analytics

  • State:closed
  • Created 6 years ago
  • Comments:5 (3 by maintainers)

github_iconTop GitHub Comments

1reaction
jeremylongcommented, Feb 7, 2018

We use the data from the NVD which still states everything prior to 2.8.11 is vulnerable. You can see this in the NVD entry CVE-2017-17485. Additionally, take a look at one of jackson-databind developers comments on the issue https://github.com/FasterXML/jackson-databind/issues/1855#issuecomment-363247755

0reactions
jeremylongcommented, Apr 27, 2019

With the switch to the json data feeds in 5.0.0-M1 this issue was resolved.

Read more comments on GitHub >

github_iconTop Results From Across the Web

Jackson DataBind Vulnerabilities - Ping Identity Support Portal
3 allowed unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 and CVE-2017-17485 deserialization flaws.
Read more >
RSA Authentication Manager 8.3 False Positive Security ...
Jackson JASON Library Vulnerability: A deserialization flaw was discovered in the jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9, ...
Read more >
jackson-databind vulerability fix - java - Stack Overflow
Its fixed in v 2.13.12.1, but when I update my gradle to refer to this latest library, I get another dependency error, which...
Read more >
El Alto VNFSDK Security/Vulnerability Report - ONAP Wiki
Repository Group Problem Code Effective/Ineffective Resolvab... vnfsdk‑refrepo com.fasterxml.jackson.core CVE‑2018‑11307 Ineffective Yes vnfsdk‑refrepo com.fasterxml.jackson.core CVE‑2018‑12022 Ineffective Yes vnfsdk‑refrepo com.fasterxml.jackson.core CVE‑2018‑12023 Ineffective Yes
Read more >
Iron Bank Containers / dccscr-whitelists · GitLab - Repo One
"justification": "false positive - vulnerability fixed in 1.4.10, ... vulnerability applies to jackson-databind, not jackson-coreutils".
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

NIST NVD URL no longer works

Next page

Incompatibilty with maven 3.5.1 and earlier