jackson-databind: Block two more gadgets to exploit default typing issue (c3p0, CVE-2018-7489)
From an email report there are 2 other c3p0 classes (above and beyond ones listed in #1737) need to be blocked.
EDIT 21-Jun-2021: Fix included in:
2.9.52.8.11.12.7.9.32.6.7.5
About this issue
- Original URL
- State: closed
- Created 6 years ago
- Comments: 15 (10 by maintainers)
Commits related to this issue
- Fix #1931 — committed to FasterXML/jackson-databind by cowtowncoder 6 years ago
- Update release notes wrt #1931 — committed to FasterXML/jackson-databind by cowtowncoder 6 years ago
- Fixed latest cve error for CVE-2018-7489. https://github.com/FasterXML/jackson-databind/issues/1931 — committed to hmcts/ccpay-payment-app by deleted user 6 years ago
- Fixed latest cve error for CVE-2018-7489. (#119) https://github.com/FasterXML/jackson-databind/issues/1931 — committed to hmcts/ccpay-payment-app by deleted user 6 years ago
- Use jackson-databind v.2.9.5. + Resolves [CVE-2018-7489] https://github.com/FasterXML/jackson-databind/issues/1931 — committed to johnjohndoe/HalfnarpClient by johnjohndoe 6 years ago
- Block two more gadgets to exploit default typing issue (c3p0, CVE-2018-7489) Merged from FasterXML/jackson-databind#1931 — committed to atlassian/jackson-1 by ablekhman 5 years ago
Hi! Any estimates for a 2.9.5 release? Thanks!
Hi FasterXML Team , As new vulnerability CVE-2018-7489 is reported and we are using jackson-databind 2.9.4 version which is now vulnerable. Please confirm us when we can get full new release like 2.9.5 or patch fix in v2.9.4.1 which will help to get rid of this vulnerability.
-thanks Dharmendra
Hi there! How comes that there is no atifact in http://repo1.maven.org/maven2/com/fasterxml/jackson/jackson-bom/ that is matching release 2.8.11.1?
This is preventing me from upgrading to 2.8.11.1 because that artifact would be required by Spring boots dependency management.
Thanks in advance!