CVE-2020-36186 (Medium) detected in jackson-databind-2.9.4.jar #142
Labels
security vulnerability
Security vulnerability detected by WhiteSource
Comments
mend-bolt-for-github
bot
added
the
security vulnerability
mend-bolt-for-github
bot
changed the title
mend-bolt-for-github
bot
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
CVE-2020-36186 - Medium Severity Vulnerability
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: mall/mall-dao/pom.xml
Path to vulnerable library: canner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.4/jackson-databind-2.9.4.jar,canner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.4/jackson-databind-2.9.4.jar,canner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.4/jackson-databind-2.9.4.jar,canner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.4/jackson-databind-2.9.4.jar,canner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.4/jackson-databind-2.9.4.jar,canner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.4/jackson-databind-2.9.4.jar,canner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.4/jackson-databind-2.9.4.jar
Dependency Hierarchy:
Found in HEAD commit: 58429d23f3045fe26e303f6e045f1c664b07b48d
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.PerUserPoolDataSource.
Publish Date: 2021-01-06
URL: CVE-2020-36186
Base Score Metrics not available
Type: Change files
Origin: FasterXML/jackson-databind@3e8fa3b
Release Date: 2020-12-26
Fix Resolution: Replace or update the following files: SubTypeValidator.java, VERSION-2.x
The text was updated successfully, but these errors were encountered: