search

spotify / docker-maven-plugin

INACTIVE: A maven plugin for Docker
Apache License 2.0
2.67k stars 575 forks source link

Vulnerability found in transitive dependancy #394

Closed barahate90 closed 6 years ago

barahate90 commented 6 years ago

Description

FasterXML jackson-databind before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.

How to reproduce

Vulnerability database reference

What do you expect

Can you update the Jackson-data-bind to latest 2.9.6 version?

What happened instead

`

com.fasterxml.jackson.core 
  <artifactId>jackson-databind</artifactId>
  <version>2.2.3</version>
</dependency>`

Refering to old version of jackson-databind

stale[bot] commented 6 years ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.