CVE-2019-14893 @ Maven-com.fasterxml.jackson.core:jackson-databind-2.0.4 #430
Labels
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
{{ message }}
Vulnerable Package issue exists @ Maven-com.fasterxml.jackson.core:jackson-databind-2.0.4 in branch master
A flaw was discovered in FasterXML jackson-databind in all versions before 2.6.7.3, 2.7.x before 2.7.9.7, 2.8.x before 2.8.11.5 and 2.9.x before 2.9.10, where it would permit polymorphic deserialization of malicious objects using the xalan JNDI gadget when used in conjunction with polymorphic type handling methods such as
enableDefaultTyping()or when @JsonTypeInfo is usingId.CLASSorId.MINIMAL_CLASSor in any other way which ObjectMapper.readValue might instantiate objects from unsafe sources. An attacker could use this flaw to execute arbitrary code.Namespace: cxronen
Repository: BookStore_VSCode
Repository Url: https://github.com/cxronen/BookStore_VSCode
CxAST-Project: cxronen/BookStore_VSCode
CxAST platform scan: fc26843f-bb4e-45c5-a7be-bc8203bed522
Branch: master
Application: BookStore_VSCode
Severity: HIGH
State: NOT_IGNORED
Status: RECURRENT
CWE: CWE-502
Additional Info
Attack vector: NETWORK
Attack complexity: LOW
Confidentiality impact: HIGH
Availability impact: HIGH
Remediation Upgrade Recommendation: 2.6.7.5
References
Advisory
Advisory
Issue
Commit
Commit
The text was updated successfully, but these errors were encountered: