Vulnerable Library - jackson-databind-2.8.11.3.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.11.3/jackson-databind-2.8.11.3.jar

Dependency Hierarchy:

• core-3.15.42.jar (Root Library)
  • spring-boot-starter-web-1.5.22.RELEASE.jar
    • ❌ jackson-databind-2.8.11.3.jar (Vulnerable Library)

Found in HEAD commit: 4b5ed1d2f3030d721692ff4f980e8d2467fde19b

Found in base branch: main

Vulnerability Details

A series of deserialization vulnerabilities have been discovered in Codehaus 1.9.x implemented in EAP 7. This CVE fixes CVE-2017-17485, CVE-2017-7525, CVE-2017-15095, CVE-2018-5968, CVE-2018-7489, CVE-2018-1000873, CVE-2019-12086 reported for FasterXML jackson-databind by implementing a whitelist approach that will mitigate these vulnerabilities and future ones alike.

Publish Date: 2019-10-01

URL: CVE-2019-10202

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://access.redhat.com/errata/RHSA-2019:2938

Release Date: 2019-10-01

Fix Resolution: org.codehaus.jackson:jackson-mapper-asl-7.2.4;com.fasterxml.jackson.core:jackson-databind-2.9.9