CVE: 2018-14719 found in jackson-databind - Version: 2.4.2 [JAVA]

[github-actions[bot]]

Veracode Software Composition Analysis

Attribute	Details
Library	jackson-databind
Description	General data-binding functionality for Jackson: works on core streaming API
Language	JAVA
Vulnerability	Remote Code Execution (RCE)
Vulnerability description	jackson-databind is vulnerable to remote code execution. The application does not block the blaze-ds-opt and blaze-ds-core classes from polymorphic deserialization, which would allow a remote attacker to leverage this vulnerability to execute arbitrary code. This vulnerability is due to an incomplete fix for the CVE-2017-7525.
CVE	2018-14719
CVSS score	7.5
Vulnerability present in version/s	2.0.0-RC1-2.6.7.1
Found library version/s	2.4.2
Vulnerability fixed in version	2.6.7.2
Library latest version	2.16.1
Fix

Links:

• https://sca.analysiscenter.veracode.com/vulnerability-database/libraries/908?version=2.4.2
• https://sca.analysiscenter.veracode.com/vulnerability-database/vulnerabilities/8105
• Patch: https://github.com/FasterXML/jackson-databind/commit/87d29af25e82a249ea15858e2d4ecbf64091db44

[github-actions[bot]]

Veracode issue link to PR: https://github.com/tsaekao/verademo-java/pull/2

[github-actions[bot]]

Veracode issue link to PR: https://github.com/tsaekao/verademo-java/pull/43