Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Block some more DBCP-related potential gadget classes (CVE-2020-36179 - CVE-2020-36182) #3004

Closed
cowtowncoder opened this issue Jan 1, 2021 · 1 comment
Closed

Block some more DBCP-related potential gadget classes (CVE-2020-36179 - CVE-2020-36182) #3004

cowtowncoder opened this issue Jan 1, 2021 · 1 comment
Labels
CVE Issues related to public CVEs (security vuln reports)
Milestone
2.9.10.8

Comments

@cowtowncoder
Copy link
Member

cowtowncoder commented Jan 1, 2021
edited

One additional, not-yet-blocked type of Apache DBCP (1.x/2.x) library was reported as possible gadget type and should be blocked.
See https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062 for description of the general problem.

Reporter(s): Al1ex@knownsec
Mitre id(s):

Fix is included in:
@cowtowncoder cowtowncoder added CVE Issues related to public CVEs (security vuln reports) to-evaluate Issue that has been received but not yet evaluated and removed to-evaluate Issue that has been received but not yet evaluated labels Jan 1, 2021
@cowtowncoder cowtowncoder added this to the 2.9.10.8 milestone Jan 1, 2021
@abergmann
Copy link

The following CVEs have been assigned to this issue:

@cowtowncoder cowtowncoder changed the title Block one more DBCP-related potential gadget class Block some more DBCP-related potential gadget classes Jan 7, 2021
@cowtowncoder cowtowncoder changed the title Block some more DBCP-related potential gadget classes Block some more DBCP-related potential gadget classes Jan 7, 2021
@cowtowncoder cowtowncoder changed the title Block some more DBCP-related potential gadget classes Block some more DBCP-related potential gadget classes (CVE-2020-36179 - CVE-2020-36182) Jan 7, 2021
This was referenced Jan 9, 2021
Open
Open
Open
Open
Open
Open
Open
Open
Open
Open
Open
Open
Open
Open
Open
Open
Open
Open
Open
Open
This was referenced Dec 25, 2022
Open
Open
This was referenced Dec 20, 2022
Open
Open
Open
This was referenced Feb 17, 2023
Open
Open
Open
Open
This was referenced Nov 22, 2022
Open
Open
Open
Open
This was referenced Mar 15, 2023
Open
Open
Open
This was referenced Feb 15, 2023
Open
Open
Open
Open
Closed
Open
This was referenced Apr 28, 2023
Open
Open
This was referenced May 25, 2023
Open
Open
Open
This was referenced May 25, 2023
Open
Open
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
CVE Issues related to public CVEs (security vuln reports)
Projects
None yet
Milestone
2.9.10.8
Development

No branches or pull requests
2 participants
@cowtowncoder @abergmann