Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

vulnerabilities flagged due to jackson-databind #39

Closed
mailtoraja18 opened this issue Mar 9, 2020 · 3 comments
Closed

vulnerabilities flagged due to jackson-databind #39

mailtoraja18 opened this issue Mar 9, 2020 · 3 comments

Comments

@mailtoraja18
Copy link

com.fasterxml.jackson.core:jackson-databind:2.8.11.1:jar - please upgrade to a compatible version.

      Type:            VULNERABILITY
      Name:            CVE-2018-14719
      CVSS Score v2:   7.5
      Severity:        high
      Description:     FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the blaze-ds-opt and blaze-ds-core classes from polymorphic deserialization.

      Type:            VULNERABILITY
      Name:            CVE-2018-14720
      CVSS Score v2:   7.5
      Severity:        high
      Description:     FasterXML jackson-databind 2.x before 2.9.7 might allow attackers to conduct external XML entity (XXE) attacks by leveraging failure to block unspecified JDK classes from polymorphic deserialization.

      Type:            VULNERABILITY
      Name:            CVE-2018-14721
      CVSS Score v2:   7.5
      Severity:        high
      Description:     FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct server-side request forgery (SSRF) attacks by leveraging failure to block the axis2-jaxws class from polymorphic deserialization.

      Type:            VULNERABILITY
      Name:            CVE-2018-19360
      CVSS Score v2:   7.5
      Severity:        high
      Description:     FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the axis2-transport-jms class from polymorphic deserialization.

Thanks
@mailtoraja18
Copy link
Author

mailtoraja18 commented Mar 20, 2020
edited
Loading

The upgrade to 2.9.10.3 does not help.

Dependency: MAVEN - com.fasterxml.jackson.core:jackson-databind:2.9.10.3:jar
RejectReasons (3)
RejectReason: 001775da-5458-4655-995b-74a3d14f8a0b
Type: VULNERABILITY
CVSS Score v3: 9.8
Severity: severe
Description Link: https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-559094
RejectReason: 5520cb0b-1131-4a29-b605-bdfc140489f0
Type: VULNERABILITY
CVSS Score v3: 8.1
Severity: high
Description Link: https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-560766
RejectReason: 7ca799a9-afae-4080-b55f-5227ad2db815
Type: VULNERABILITY
CVSS Score v3: 8.1
Severity: high
Dependency: MAVEN - com.fasterxml.jackson.core:jackson-annotations:2.9.10:jar
Dependency: MAVEN - com.fasterxml.jackson.core:jackson-core:2.9.10:jar

@mailtoraja18
Copy link
Author

Dependencies conflict - secretsmanager-caching needs to be updated as well ?
com.amazonaws.secretsmanager:aws-secretsmanager-jdbc:1.0.5
-->com.amazonaws.secretsmanager:aws-secretsmanager-caching-java:1.0.1
------>com.amazonaws:aws-java-sdk-secretsmanager:1.11.409 (conflict with 1.11.418 below)
com.amazonaws:aws-java-sdk-secretsmanager:1.11.418
com.amazonaws:aws-java-sdk-core:1.11.418
com.amazonaws:jmespath-java:1.11.418

@willtong1234
Copy link
Contributor

Addressed in commit: 78f82b2. Closing out this Issue in favor of that commit.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mailtoraja18 @willtong1234