search

lmenezes / cerebro

MIT License
5.52k stars 716 forks source link

Release current master - mitigate CVE-2020-25649 #493

Open karolinepauls opened 3 years ago

karolinepauls commented 3 years ago

0.9.3 is still vulnerable to:

+----------------+----------+------+---------------------------------------------+----------+--------------------------------------+-----------+------------+------------+----------------------------------------------------+
|      CVE       | SEVERITY | CVSS |                   PACKAGE                   | VERSION  |                STATUS                | PUBLISHED | DISCOVERED | GRACE DAYS |                    DESCRIPTION                     |
+----------------+----------+------+---------------------------------------------+----------+--------------------------------------+-----------+------------+------------+----------------------------------------------------+
| CVE-2020-25649 | high     | 7.50 | com.fasterxml.jackson.core_jackson-databind | 2.10.2   | fixed in 2.10.5.1, 2.9.10.7, 2.6.7.4 | 68 days   | < 1 hour   | -49        | A flaw was found in FasterXML Jackson Databind,    |
|                |          |      |                                             |          | 68 days ago                          |           |            |            | where it did not have entity expansion secured     |
|                |          |      |                                             |          |                                      |           |            |            | properly. This flaw allows vulnerability to XML    |
|                |          |      |                                             |          |                                      |           |            |            | externa...                                         |

I checked the master with sbt update and sbt dependencyTree and it installs the patched version of jackson-databind.

moliware commented 3 years ago

We released 0.9.4, is this still an issue?

maciekm commented 3 years ago

0.9.4 is vulnerable to:

+----------------+----------+------+----------------------------------------------------------+----------+--------------------------+------------+----------------------------------------------------------+
|      CVE       | SEVERITY | CVSS |                         PACKAGE                          | VERSION  |          STATUS          | PUBLISHED  |                       DESCRIPTION                        |
+----------------+----------+------+----------------------------------------------------------+----------+--------------------------+------------+----------------------------------------------------------+
| CVE-2020-28491 | high     | 7.50 | com.fasterxml.jackson.dataformat_jackson-dataformat-cbor | 2.10.5   | fixed in 2.11.4,  2.12.1 | > 3 months | This affects the package                                 |
|                |          |      |                                                          |          | > 3 months ago           |            | com.fasterxml.jackson.dataformat:jackson-dataformat-cbor |
|                |          |      |                                                          |          |                          |            | from 0 and before 2.11.4, from 2.12.0-rc1 and before     |
|                |          |      |                                                          |          |                          |            | 2.12.1. Uncheck...                                       |
mooncser commented 2 years ago

Any update on the CVE-2020-28491? Thank you.