search

github / advisory-database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Creative Commons Attribution 4.0 International
1.67k stars 305 forks source link

[GHSA-qxxx-2pp7-5hmx] jackson-databind is vulnerable to a deserialization flaw #4494

Closed SunBK201 closed 1 day ago

SunBK201 commented 1 month ago

Updates

Comments https://mvnrepository.com/artifact/com.fasterxml.jackson.core/jackson-databind

shelbyc commented 1 month ago

Hi @SunBK201, all of the reference links for GHSA-qxxx-2pp7-5hmx that I checked say that versions of com.fasterxml.jackson.core:jackson-databind prior to version 2.6.0 are affected by CVE-2017-7525. I'm unable to find any evidence in https://mvnrepository.com/artifact/com.fasterxml.jackson.core/jackson-databind or the reference links of GHSA-qxxx-2pp7-5hmx to demonstrate that com.fasterxml.jackson.core:jackson-databind prior to version 2.6.0 is not affected by CVE-2017-7525. Unless you are able to find evidence that versions prior to 2.6.0 aren't vulnerable, I can't accept the contribution.