search

moqui / moqui-framework

Use Moqui Framework to build enterprise applications based on Java. It includes tools for databases (relational, graph, document), local and web services, web and other UI with screens and forms, security, file/resource access, scripts, templates, l10n, caching, logging, search, rules, workflow, multi-instance, and integration.
http://www.moqui.org
Other
284 stars 204 forks source link

CVE-2019-16335 (High) detected in jackson-databind-2.9.9.2.jar #382

Closed mend-bolt-for-github[bot] closed 4 years ago

mend-bolt-for-github[bot] commented 5 years ago

CVE-2019-16335 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.9.9.2.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /tmp/ws-scm/moqui-framework/framework/build.gradle

Path to vulnerable library: le/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.9.9.2/d18b4dec691df396916ecd5bd5aab99d0abdcb15/jackson-databind-2.9.9.2.jar

Dependency Hierarchy: - :x: **jackson-databind-2.9.9.2.jar** (Vulnerable Library)

Found in HEAD commit: 95a549e4efda6f7df1960d92888d2e9e6b3b148d

Vulnerability Details

A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariDataSource. This is a different vulnerability than CVE-2019-14540.

Publish Date: 2019-09-15

URL: CVE-2019-16335

CVSS 2 Score Details (7.5)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://github.com/FasterXML/jackson-databind/blob/master/release-notes/VERSION-2.x

Release Date: 2019-09-15

Fix Resolution: 2.9.10

Step up your Open Source Security Game with WhiteSource here

jonesde commented 4 years ago

Now addressed with update to jackson-databind-2.10.1