search

cisagov / vulnrichment

A repo to conduct vulnerability enrichment.
Creative Commons Zero v1.0 Universal
399 stars 29 forks source link

Fix Jackson Databind Lower Bound #46

Closed j-baines closed 1 month ago

j-baines commented 1 month ago

The description for CVE-2020-36181 says:

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.cpdsadapter.DriverAdapterCPDS.

But the CISA ADP has:

            "vendor": "fasterxml",
            "product": "jackson-databind",
            "versions": [
              {
                "status": "affected",
                "version": "0",
                "lessThan": "2.9.10.8",
                "versionType": "custom"
              }
            ],

The lowerbound of 0 appears to be incorrect. It should be 2.0.0 according to the description. That is also closer to what NIST currently has for the CVE:

2024-06-01_04-54

I'm not certain where NIST came up with that extra version range, but I digress.

Anyway, I think there are about 10 other jackson-databind CVE that suffer from the same issue (CVE-2020-10672, CVE-2020-10673, CVE-2020-10968, CVE-2020-10969, etc.)

jwoytek-cisa commented 1 month ago

@j-baines This was fixed upstream and updated. Thank you!