search

logzio / jmx2graphite

JMX to Graphite every x seconds in one command line (Docker based) (also come in Java Agent flavour)
MIT License
77 stars 23 forks source link

CVE-2020-9546 (Medium) detected in jackson-databind-2.9.10.2.jar #66

Closed mend-for-github-com[bot] closed 4 years ago

mend-for-github-com[bot] commented 4 years ago

CVE-2020-9546 - Medium Severity Vulnerability

Vulnerable Library - jackson-databind-2.9.10.2.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /tmp/ws-scm/jmx2graphite/pom.xml

Path to vulnerable library: downloadResource_735c409f-ec0a-4787-a1e7-5c39db3285be/20200211101557/jackson-databind-2.9.10.2.jar

Dependency Hierarchy: - :x: **jackson-databind-2.9.10.2.jar** (Vulnerable Library)

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig (aka shaded hikari-config).

Publish Date: 2020-03-02

URL: CVE-2020-9546

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9546

Release Date: 2020-03-02

Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.10.3