CVE: 2018-12023 found in jackson-databind - Version: 2.4.2 [JAVA]

[github-actions[bot]]

Veracode Software Composition Analysis

Attribute	Details
Library	jackson-databind
Description	General data-binding functionality for Jackson: works on core streaming API
Language	JAVA
Vulnerability	Remote Code Execution (RCE)
Vulnerability description	jackson-databind is vulnerable to remote code execution (RCE) attacks. The vulnerability exists because it does not prevent the deserialization of certain gadget types from the JDBC driver which could be used to perform remote code execution attacks through deserialization.
CVE	2018-12023
CVSS score	5.1
Vulnerability present in version/s	2.0.0-RC1-2.7.9.1
Found library version/s	2.4.2
Vulnerability fixed in version	2.7.9.4
Library latest version	2.16.1
Fix

Links:

• https://sca.analysiscenter.veracode.com/vulnerability-database/libraries/908?version=2.4.2
• https://sca.analysiscenter.veracode.com/vulnerability-database/vulnerabilities/6822
• Patch: https://github.com/FasterXML/jackson-databind/commit/28badf7ef60ac3e7ef151cd8e8ec010b8479226a

[github-actions[bot]]

Veracode issue link to PR: https://github.com/tsaekao/verademo-java/pull/2

[github-actions[bot]]

Veracode issue link to PR: https://github.com/tsaekao/verademo-java/pull/43