CVE: 2019-12814 found in jackson-databind - Version: 2.4.2 [JAVA]

[github-actions[bot]]

Veracode Software Composition Analysis

Attribute	Details
Library	jackson-databind
Description	General data-binding functionality for Jackson: works on core streaming API
Language	JAVA
Vulnerability	Deserialization Of Untrusted Object
Vulnerability description	jackson-databind is vulnerable to deserialization of untrusted object. The attack exists because it does not validate the gadget type before performing deserialization of polymorphic types with no limits.
CVE	2019-12814
CVSS score	4.3
Vulnerability present in version/s	2.0.0-RC1-2.7.9.1
Found library version/s	2.4.2
Vulnerability fixed in version	2.9.9.1
Library latest version	2.16.1
Fix	Apply the fix patch below.

Links:

• https://sca.analysiscenter.veracode.com/vulnerability-database/libraries/908?version=2.4.2
• https://sca.analysiscenter.veracode.com/vulnerability-database/vulnerabilities/20559
• Patch: https://github.com/FasterXML/jackson-databind/commit/5f7c69bba07a7155adde130d9dee2e54a54f1fa5

[github-actions[bot]]

Veracode issue link to PR: https://github.com/tsaekao/verademo-java/pull/2

[github-actions[bot]]

Veracode issue link to PR: https://github.com/tsaekao/verademo-java/pull/43