Block one more gadget type (mybatis, CVE-2018-11307) #2032
Comments
cowtowncoder
added
CVE
cowtowncoder
changed the title
cowtowncoder
changed the title
|
@cowtowncoder - When do you think 2.9.6 will be released? |
|
@Boaz20 have been hoping to get "any day now" -- with good luck, by end of the week. But unfortunately I have been extremely busy (new job, house remodeling :) ). |
|
@cowtowncoder - thanks for the follow-up - much appreciated. |
|
Fix included in
which were just released and will be included in
as soon as we get it finalized -- being full release it is a bigger process than micro-patches. |
Closed
This was referenced May 4, 2019
Open
This was referenced May 11, 2019
Open
This was referenced May 19, 2019
Open
This was referenced Feb 27, 2022
CVE-2018-11307 (High) detected in jackson-databind-2.6.7.3.jar - autoclosed
Gal-Doron/LicenseTest#19
Closed
This was referenced Mar 11, 2022
This was referenced May 31, 2022
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
A new potential gadget type from MyBatis (https://github.com/mybatis/mybatis-3) has been reported. It may allow content exfiltration (remote access by sending contents over ftp) when untrusted content is deserialized with default typing enabled.
See https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062 for description of the general problem.
Mitre id: CVE-2018-11307
Original vulnerability discoverer:
吴桂雄 Wuguixiong
Fixed in
The text was updated successfully, but these errors were encountered: