-
-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
(Jackson 1.x) Fix is needed for CVE-2019-10172 in org.codehaus.jackson : jackson-mapper-asl #2547
Comments
This repository is for Jackson 2.x; not Jackson 1.x. https://github.com/FasterXML/jackson-1 but it is not actively developed; nor is there a working way to publish new versions as far as I know (1.x was built using Ant, published with Ant maven task). So unless you are willing to work on it yourself, figure out publishing aspects, it is unlikely there would be new version with a fix. |
I think the same vulnerability exists in Version 2.x also. |
@arajwade It would help if you could outline why you feel it would affect 2.x. I have not seen specific issue reported against 2.x. |
What was the conclusion here ? Is there any version has fix or not affected ? |
@reswaras My assumption as of now is that if there is a remaining problem it will be reported: existence of CVE is not a starting point for investigation typically but side effect -- whoever files for CVE should work with authors to help resolve the problem. There are also duplicate CVEs that relate to already fixed problems so it is possible problem did exist but has been resolved. As to Jackson 1.x, if the problem exists it will not be fixed under this project. But same formula would be applicable wrt |
Can you please refer to the following stack overflow thread It explains the fix applied in private build by anyone wanting to fix this on Jackson 1.x Can you please check if the fix described is valid and whether an identical fix is needed in Jackson 2.x? |
@arajwade I am not your servant -- if you want to figure out, you are welcome to do your own tasks. Post is from 2016. |
|
Fix is needed for CVE-2019-10172 in org.codehaus.jackson : jackson-mapper-asl
Can you please fix this vulnerability?
Sonatype Nexus auditor is reporting the following vulnerability for CVE-2019-10172
Vulnerability
Issue
CVE-2019-10172
Severity
Sonatype CVSS 3: 7.3
CVE CVSS 2.0: 0.0
Weakness
Sonatype CWE: 611
Source
National Vulnerability Database
Categories
Data
Description from CVE
A flaw was found in org.codehaus.jackson:jackson-mapper-asl:1.9.x libraries. XML external entity vulnerabilities similar CVE-2016-3720 also affects codehaus jackson-mapper-asl libraries but in different classes.
Explanation
Detection
Recommendation
Root Cause
jackson-mapper-asl-1.9.12.jar <= org/codehaus/jackson/map/ext/DOMDeserializer.class : [1.9,)
Advisories
Third Party: https://access.redhat.com/security/cve/cve-2019-10172
Third Party: https://bugzilla.redhat.com/show_bug.cgi?id=1715075
Third Party: https://nvd.nist.gov/vuln/detail/CVE-2019-10172
The text was updated successfully, but these errors were encountered: