nuxzero
commented
4 years ago Thank you for raising this issue for us. We will check this and update it to you soon. 🙂
Closed saiqulhaq closed 4 years ago
nuxzero
commented
4 years ago Thank you for raising this issue for us. We will check this and update it to you soon. 🙂
nuxzero
commented
4 years ago @saiqulhaq We have released a security patch version. Please check out our new version 3.1.1. 🙂
https://github.com/omise/omise-android/blob/9698f26ae81089255ef5cfc235bf72521fc0bb6d/build.gradle#L27
Please can you upgrade jackson-databind to version 2.10.0 or higher? currently It is possible to conduct a Deserialization attack using the oadd.org.apache.xalan.lib.sql.JNDIConnectionPool (apache/drill) class gadget if polymorphic type handling is enabled and an application using this package allows user input which gets deserialized https://cwe.mitre.org/data/definitions/502.html