Closed SunBK201 closed 2 months ago
Hi @SunBK201, I have a question about the claim that the vulnerability was introduced in 2.4.0. Did you find that information at https://github.com/FasterXML/jackson-databind/blob/063183589218fec19a9293ed2f17ec53ea80ba88/release-notes/VERSION-2.x#L1885-L1890? I've noticed that https://security.snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-3038424 says that the vulnerability was introduced in 2.4.0
, but the reference links there contain the same information as the reference links for GHSA-rgv9-q543-rqg4.
I checked https://github.com/FasterXML/jackson-databind/blob/jackson-databind-2.4.0/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializer.java and was unable to find the _deserializeFromArray
function in the BeanDeserializer.java
file in version 2.4.0.
Updates
Comments According to Patch, this vulnerability was introduced from 2.4.0.