Block more JDK gadget types (com.sun.rowset) #1680

cowtowncoder · 2017-06-27T04:56:59Z

(note: follow-up on #1599)

Looks like there is at least one other "well-known" type to block besides 9 already added (an impl class for database drivers): com.sun.rowset.JdbcRowSetImpl

Fixed in:

2.9.0 and all later
2.8.10
2.7.9.2
2.6.7.3

The text was updated successfully, but these errors were encountered:

cowtowncoder · 2017-06-30T16:30:10Z

Fixed for 2.8.10, 2.9.0; and if released, 2.7.10 (added post 2.7.9.1).

cowtowncoder · 2018-02-22T18:07:35Z

For further info: https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062

cowtowncoder added this to the 2.8.10 milestone Jun 30, 2017

cowtowncoder closed this as completed Jun 30, 2017

cowtowncoder added a commit that referenced this issue Jun 30, 2017

Fix #1680

e8f043d

cowtowncoder mentioned this issue Aug 6, 2017

Deserialization vulnerability via polymorphic deserialization (CVE-2017-7525) #1723

Closed

stevie400 mentioned this issue Sep 5, 2017

Use jackson-databind 2.7.9.1 HubSpot/basepom#20

Merged

cowtowncoder mentioned this issue Dec 1, 2017

In which release is CVE 2017-15095 fixed? #1847

Closed

cowtowncoder added the CVE Issues related to public CVEs (security vuln reports) label Dec 12, 2017

cowtowncoder added a commit that referenced this issue Dec 12, 2017

Add a note wrt #1680

569e36e

This was referenced Jan 19, 2018

Update com.fasterxml.jackson version to 2.8.11 logfellow/logstash-logback-encoder#259

Merged

Upgrade Jackson dependencies TIBCOSoftware/jasperreports#15

Closed

This was referenced Dec 12, 2018

CVE-2017-15095 High Severity Vulnerability detected by WhiteSource emilva/vulnerable-struts-app#25

Open

CVE-2017-15095 High Severity Vulnerability detected by WhiteSource mixellent/wingtips#18

Open

mend-bolt-for-github bot mentioned this issue Dec 19, 2018

CVE-2017-15095 High Severity Vulnerability detected by WhiteSource reflectoring/infiniboard#301

Open

mend-bolt-for-github bot mentioned this issue Dec 27, 2018

CVE-2017-15095 (High) detected in jackson-databind-2.8.8.jar kevins01/Java3#2

Open

mend-bolt-for-github bot mentioned this issue Jan 28, 2019

CVE-2017-15095 High Severity Vulnerability detected by WhiteSource JohnDeere/work-tracker#23

Closed

This was referenced Aug 16, 2019

[deleted] Contrast-Security-OSS/ghardy-test#460

Closed

[deleted] Contrast-Security-OSS/ghardy-test#479

Closed

[deleted] Contrast-Security-OSS/ghardy-test#497

Closed

cowtowncoder changed the title ~~Blacklist couple more types for deserialization~~ Block more JDK gadget types (com.sun.rowset) Sep 12, 2019

This was referenced May 10, 2022

CVE-2017-15095 - high detected in com.fasterxml.jackson.core:jackson-databind rhicksiii91/java-goof-test#117

Open

CVE-2017-15095 - high detected in com.fasterxml.jackson.core:jackson-databind rhicksiii91/java-goof-test#213

Open

This was referenced Apr 28, 2023

Findings for Critical davisbarillas/shiftleft-java-demo2#57

Open

Findings for Critical davisbarillas/JavaVulnerableLab#15

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Block more JDK gadget types (com.sun.rowset) #1680

Block more JDK gadget types (com.sun.rowset) #1680

cowtowncoder commented Jun 27, 2017 •

edited

cowtowncoder commented Jun 30, 2017

cowtowncoder commented Feb 22, 2018

Block more JDK gadget types (com.sun.rowset) #1680

Block more JDK gadget types (com.sun.rowset) #1680

Comments

cowtowncoder commented Jun 27, 2017 • edited

cowtowncoder commented Jun 30, 2017

cowtowncoder commented Feb 22, 2018

cowtowncoder commented Jun 27, 2017 •

edited