Fenzo icon indicating copy to clipboard operation
Fenzo copied to clipboard
verified publisher icon Netflix

CVE-2018-7489 on jackson-databind 2.4.5

Open huichuno opened this issue 6 years ago • 1 comments

https://nvd.nist.gov/vuln/detail/CVE-2018-7489

FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.

huichuno avatar Jul 29 '19 02:07 huichuno

Is it possible to update jackson-databind (https://github.com/FasterXML/jackson-databind) to latest release version which is free from this vulnerability?

huichuno avatar Aug 02 '19 01:08 huichuno