search

tsaekao / verademo-java

The Veracode demo application. A simple Java Web App built using Spring MVC.
0 stars 0 forks source link

CVE: 2019-16335 found in jackson-databind - Version: 2.4.2 [JAVA] #36

Open github-actions[bot] opened 8 months ago

github-actions[bot] commented 8 months ago

Veracode Software Composition Analysis

Attribute Details
Library jackson-databind
Description General data-binding functionality for Jackson: works on core streaming API
Language JAVA
Vulnerability Deserialization Of Untrusted Data
Vulnerability description FasterXML jackson-databind is vulnerable to deserialization of untrusted data. It causes polymorphic typing because there are more than one association gadget types related to com.zaxxer.hikari.HikariDataSource by default. This vulnerability is different from CVE-2019-14540. A remote attacker can gain unauthorized access to sensitive information on the system.
CVE 2019-16335
CVSS score 7.5
Vulnerability present in version/s 2.0.0-RC1-2.7.9.1
Found library version/s 2.4.2
Vulnerability fixed in version 2.10.0.pr3
Library latest version 2.16.1
Fix

Links:

github-actions[bot] commented 8 months ago

Veracode issue link to PR: https://github.com/tsaekao/verademo-java/pull/2

github-actions[bot] commented 8 months ago

Veracode issue link to PR: https://github.com/tsaekao/verademo-java/pull/43