jackson-databind False Negative

[stboissdev]

False negative on library

<dependency>
    <groupId>com.fasterxml.jackson.core</groupId>
    <artifactId>jackson-databind</artifactId>
    <version>2.9.2</version>
</dependency>

the CVE-2018-5968 affect version 2.8.11 and 2.9.x through 2.9.3

[tkep]

Same false negative issue with databind mircofix 2.7.9.3

<suppress>
    <!-- databind micro fix 2.7.9.3 is the official fix for the CVEs -->
    <notes><![CDATA[
      file name: jackson-databind-2.7.9.3.jar
      ]]></notes>
    <cve>CVE-2017-17485</cve>
    <cve>CVE-2018-5968</cve>
</suppress>

https://github.com/FasterXML/jackson-databind/releases/tag/jackson-databind-2.7.9.3

see https://www.securityfocus.com/archive/1/archive/1/541652/100/0/threaded

[Brcrwilliams]

It seems that the CVE has not been associated with the CPE's for 2.9.x: link

Edit - Jackson databind is missing CPEs for the following versions:

• 2.8.10
• 2.8.11
• 2.8.11.1
• 2.9.0 through 2.9.4

I have contacted NIST about adding these CPEs.

[jeremylong]

This may also be due to the data in the XML data feeds as opposed to the JSON data feeds. See #1088.

Thanks for the report and I'll try to get to this soon.

[jeremylong]

This was resolved with 6.x