search

tsaekao / verademo-java

The Veracode demo application. A simple Java Web App built using Spring MVC.
0 stars 0 forks source link

CVE: 2019-16943 found in jackson-databind - Version: 2.4.2 [JAVA] #39

Open github-actions[bot] opened 6 months ago

github-actions[bot] commented 6 months ago

Veracode Software Composition Analysis

Attribute Details
Library jackson-databind
Description General data-binding functionality for Jackson: works on core streaming API
Language JAVA
Vulnerability Remote Code Execution (RCE)
Vulnerability description jackson-databind is vulnerable to remote code execution (RCE). The vulnerability exists as it does not stop classes from the p6spy package from being used as deserialization gadgets.
CVE 2019-16943
CVSS score 6.8
Vulnerability present in version/s 2.0.0-RC1-2.6.7.2
Found library version/s 2.4.2
Vulnerability fixed in version 2.6.7.3
Library latest version 2.16.1
Fix Apply the indicated patch (v2.9.10.1) instead of upgrading directly to 2.10.0. If upgrading to the next minor version, use the new safe methods for default typing and whitelisting. Refer to (https://github.com/FasterXML/jackson-databind/issues/2195#issuecomment-497567713)

Links:

github-actions[bot] commented 6 months ago

Veracode issue link to PR: https://github.com/tsaekao/verademo-java/pull/2

github-actions[bot] commented 6 months ago

Veracode issue link to PR: https://github.com/tsaekao/verademo-java/pull/43