search

logzio / sawmill

Sawmill is a JSON transformation Java library
Apache License 2.0
116 stars 24 forks source link

CVE-2020-9546 (Medium) detected in jackson-databind-2.9.10.1.jar #199

Closed mend-for-github-com[bot] closed 3 years ago

mend-for-github-com[bot] commented 4 years ago

CVE-2020-9546 - Medium Severity Vulnerability

Vulnerable Library - jackson-databind-2.9.10.1.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /tmp/ws-scm/sawmill/sawmill-core/pom.xml

Path to vulnerable library: epository/com/fasterxml/jackson/core/jackson-databind/2.9.10.1/jackson-databind-2.9.10.1.jar

Dependency Hierarchy: - :x: **jackson-databind-2.9.10.1.jar** (Vulnerable Library)

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig (aka shaded hikari-config).

Publish Date: 2020-03-02

URL: CVE-2020-9546

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9546

Release Date: 2020-03-02

Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.10.3