Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Block one more gadget type (xbean-reflect/JNDI - CVE-2020-8840) #2620

Closed
cowtowncoder opened this issue Feb 9, 2020 · 6 comments
Closed

Block one more gadget type (xbean-reflect/JNDI - CVE-2020-8840) #2620

cowtowncoder opened this issue Feb 9, 2020 · 6 comments
Labels
CVE Issues related to public CVEs (security vuln reports)
Milestone
2.9.10.3

Comments

@cowtowncoder
Copy link
Member

cowtowncoder commented Feb 9, 2020
edited

Another gadget (*) type reported related to JNDI access.
See https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062 for description of the general problem.

Mitre id: CVE-2020-8840
Original discoverer: @threedr3am

Fixed in:

  • 2.9.10.3 (jackson-bom version 2.9.10.20200223)
  • 2.8.11.5 (jackson-bom version 2.8.11.20200210)
  • 2.7.9.7
  • does not affect 2.10.0 and later
@cowtowncoder cowtowncoder added this to the 2.9.10.3 milestone Feb 9, 2020
@cowtowncoder cowtowncoder mentioned this issue Feb 10, 2020
Closed
@cowtowncoder cowtowncoder changed the title Block one more gadget type (xbean-reflect/JNDI - CVE-2020-xxxxx) Block one more gadget type (xbean-reflect/JNDI - CVE-2020-8840) Feb 10, 2020
This was referenced Feb 12, 2020
Open
Open
Closed
Closed
Closed
Closed
Closed
Open
Open
Open
@mend-bolt-for-github mend-bolt-for-github bot mentioned this issue Feb 12, 2020
Open
1 task
This was referenced Feb 12, 2020
Open
Open
Open
Open
Open
Closed
Closed
@attritionorg
Copy link

@cowtowncoder Is there an ETA on releasing 2.9.10.3? Thanks!

@cowtowncoder
Copy link
Member Author

I hope to have time to do the micro-patch release this by end of the week.

@cowtowncoder
Copy link
Member Author

Release making its way to Maven Central now.

@joschi joschi mentioned this issue Feb 23, 2020
Merged
This was referenced Feb 25, 2020
Open
Open
@mend-bolt-for-github mend-bolt-for-github bot mentioned this issue Feb 25, 2020
Open
This was referenced Feb 27, 2022
Closed
Closed
@mend-bolt-for-github mend-bolt-for-github bot mentioned this issue Mar 1, 2022
Open
@mend-for-github-com mend-for-github-com bot mentioned this issue Mar 1, 2022
Closed
This was referenced Mar 11, 2022
Closed
Closed
This was referenced Mar 12, 2022
Closed
Closed
@mend-bolt-for-github mend-bolt-for-github bot mentioned this issue Mar 14, 2022
Open
This was referenced Mar 14, 2022
Closed
Open
@mend-bolt-for-github mend-bolt-for-github bot mentioned this issue Mar 22, 2022
Open
This was referenced Mar 31, 2022
Closed
Open
This was referenced May 10, 2022
Open
Open
@mend-for-github-com mend-for-github-com bot mentioned this issue May 17, 2022
Open
@mend-bolt-for-github mend-bolt-for-github bot mentioned this issue May 31, 2022
Closed
This was referenced May 31, 2022
Closed
Closed
Closed
@scott-cx scott-cx mentioned this issue Aug 1, 2022
Open
@cxronen cxronen mentioned this issue Sep 20, 2022
Open
@margaritalm margaritalm mentioned this issue Dec 25, 2022
Open
This was referenced Feb 15, 2023
Open
Open
This was referenced Apr 28, 2023
Open
Open
@cxronen cxronen mentioned this issue May 25, 2023
Open
@joshn-whitesource-app joshn-whitesource-app bot mentioned this issue Dec 27, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
CVE Issues related to public CVEs (security vuln reports)
Projects
None yet
Milestone
2.9.10.3
Development

No branches or pull requests
4 participants
@cowtowncoder @attritionorg @nobdy @GodIsDevil