CVE-2019-20330 (High) detected in jackson-databind-2.8.5.jar #2789

mend-bolt-for-github · 2020-05-31T20:09:33Z

CVE-2019-20330 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.8.5.jar

General data-binding functionality for Jackson: works on core streaming API

Path to dependency file: /tmp/ws-scm/web-frameworks/java/rapidoid/pom.xml

Path to vulnerable library: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.5/jackson-databind-2.8.5.jar

Dependency Hierarchy:

rapidoid-web-5.5.5.jar (Root Library)
- rapidoid-sql-5.5.5.jar
  - rapidoid-commons-5.5.5.jar
    - ❌ jackson-databind-2.8.5.jar (Vulnerable Library)

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.2 lacks certain net.sf.ehcache blocking.

Publish Date: 2020-01-03

CVSS 3 Score Details (9.8)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2020-01-03

Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.7.9.7,2.8.11.5,2.9.10.2

Step up your Open Source Security Game with WhiteSource here

mend-bolt-for-github bot added the security vulnerability label May 31, 2020

waghanza closed this as completed May 31, 2020