CVE: 2017-17485 found in jackson-databind - Version: 2.4.2 [JAVA]

[github-actions[bot]]

Veracode Software Composition Analysis

Attribute	Details
Library	jackson-databind
Description	General data-binding functionality for Jackson: works on core streaming API
Language	JAVA
Vulnerability	Remote Code Execution (RCE)
Vulnerability description	Jackson-databind is vulnerable to remote code execution (RCE) attacks. Attackers can exploit an incomplete fix of CVE-2017-7525 to bypass the blacklist when Spring libraries are available on the class path.

In order to be vulnerable to this attack, either the use of @JsonTypeInfo(use = JsonTypeInfo.Id.CLASS) or @JsonTypeInfo(use = JsonTypeInfo.Id.MINIMAL_CLASS) or a call to ObjectMapper.enableDefaultTyping(...) is needed.
CVE | 2017-17485
CVSS score | 7.5
Vulnerability present in version/s | 2.0.0-RC1-2.7.9.1
Found library version/s | 2.4.2
Vulnerability fixed in version | 2.7.9.2
Library latest version | 2.16.1
Fix |

Links:

• https://sca.analysiscenter.veracode.com/vulnerability-database/libraries/908?version=2.4.2
• https://sca.analysiscenter.veracode.com/vulnerability-database/vulnerabilities/5684
• Patch: https://github.com/FasterXML/jackson-databind/compare/f031f27a31625d07922bdd090664c69544200a5d...bb45fb16709018842f858f1a6e1118676aaa34bd

[github-actions[bot]]

Veracode issue link to PR: https://github.com/tsaekao/verademo-java/pull/2

[github-actions[bot]]

Veracode issue link to PR: https://github.com/tsaekao/verademo-java/pull/43