CVE: 2018-7489 found in jackson-databind - Version: 2.4.2 [JAVA]

[github-actions[bot]]

Veracode Software Composition Analysis

Attribute	Details
Library	jackson-databind
Description	General data-binding functionality for Jackson: works on core streaming API
Language	JAVA
Vulnerability	Remote Code Execution (RCE)
Vulnerability description	jackson-databind is vulnerable to remote code execution (RCE) attacks. Due to an incomplete fix for CVE-2017-7525, attackers can still send malicious code through JSON. The blacklist that was implemented, didn't take into account the c3p0 gadgets available in the classpath.In order to be vulnerable to this attack, either the use of @JsonTypeInfo(use = JsonTypeInfo.Id.CLASS) or @JsonTypeInfo(use = JsonTypeInfo.Id.MINIMAL_CLASS) or a call to ObjectMapper.enableDefaultTyping(...) is needed.
CVE	2018-7489
CVSS score	7.5
Vulnerability present in version/s	2.0.0-RC1-2.6.7.4
Found library version/s	2.4.2
Vulnerability fixed in version	2.7.9.3
Library latest version	2.16.1
Fix

Links:

• https://sca.analysiscenter.veracode.com/vulnerability-database/libraries/908?version=2.4.2
• https://sca.analysiscenter.veracode.com/vulnerability-database/vulnerabilities/5854
• Patch: https://github.com/FasterXML/jackson-databind/commit/6799f8f10cc78e9af6d443ed6982d00a13f2e7d2

[github-actions[bot]]

Veracode issue link to PR: https://github.com/tsaekao/verademo-java/pull/2

[github-actions[bot]]

Veracode issue link to PR: https://github.com/tsaekao/verademo-java/pull/43