-
-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CVE-2019-10202 #2700
Comments
This problem has not been reported to Jackson maintainers directly, so I do not know exact details of the alleged vulnerability. However, from description that only mentions Jackson 1.x it looks like it might be a backport of some reported vulns for Jackson 2.x; latter of which would be fixed for 2.x So: as of now I do not think this is relevant for Jackson 2.x until someone proves otherwise. Worth noting, too, is that none of polymorphic deserialization vulns/CVEs reported against 2.x are applicable beyond 2.9.x -- 2.10.0 and later are not considered affected as per CVE definition (attacks can not be used with Jackson usage with default configuration: user will have to enable specific handling using deprecated methods). I hope this helps. For more information, whoever filed the issue would need to share more information. |
I went ahead and dug up references to Jackson 2.x issues via CVE ids matched. Here's the list, along with versions fixed (all but one are against
note: fixes are in many cases backported to earlier 2.8 micro-patches, but I include 2.9.x fixes as the primary ones -- none affects 2.10.0 or later versions. I do not know how to help with security scanners but perhaps you can pass on this issue. Like I said, people who filed the cve id request did not contact me or anyone from Jackson dev team (as far as I know), so I don't really know a good way to pass this information. I did also add CVE ids in some places where they were missing in Jackson release notes: often times actual id is allocated after issue itself has been fixed (since disclosure timing should ideally occur after release of a fixed-in version) |
Wow what an answer 💯 Thank you for taking the time to give me such comprehensive feedback 🥇 |
@lafual np. I figured that it is likely you would not be the only user who ends up asking this question -- security tools are unfortunately black boxes often, and the real world situation with patches is a tangled mess. On plus side, I was able to fill in some blanks in release notes too. :) Also... interesting. Did not realize Github has auto-linking for CVE ids. Neat. |
Jackson 2.9.x has various vulnerabilities that are fixed in 2.10 series: FasterXML/jackson-databind#2700 (comment) Let's update to the latest version of Jackson. This is a similar fix to Github's Dependabot proposal, except we bump the version number across all Jackson components: #116
Hi,
My company's IT Security has implemented a vulnerability checker. Unfortunately I do not know what this software is. They haven't revealed the name.
However, it is blocking Jackson-databind-2.10.3 with the following issue. https://nvd.nist.gov/vuln/detail/CVE-2019-10202
Is 2.10.3 really vulnerable? The above link does refer to this package in name, but does the link above actually indicate which version is vulnerable?
The text was updated successfully, but these errors were encountered: