Details
-
Type:
Bug
-
Status: Closed (View Workflow)
-
Priority:
P2
-
Resolution: Done
-
Affects Version/s: None
-
Fix Version/s: 2.0.0
-
Labels:
-
Template:customfield_11100 22396
-
Sprint:EPAM BatchLoader Sprint 7
-
Story Points:0.5
-
Development Team:Folijet
-
Epic Link:
Description
Remediation
Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.8.11.3 or later. For example:
<dependency> <groupId>com.fasterxml.jackson.core</groupId> <artifactId>jackson-databind</artifactId> <version>[2.8.11.3,)</version> </dependency>
Always verify the validity and compatibility of suggestions with your codebase.
Details
CVE-2018-19360 [More information](https://nvd.nist.gov/vuln/detail/CVE-2018-19360)
high severity
*Vulnerable versions:* >= 2.8.0, < 2.8.11.3
*Patched version:* 2.8.11.3
FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the axis2-transport-jms class from polymorphic deserialization.
CVE-2018-14720 [More information](https://nvd.nist.gov/vuln/detail/CVE-2018-14720)
high severity
*Vulnerable versions:* >= 2.8.0, < 2.8.11.3
*Patched version:* 2.8.11.3
FasterXML jackson-databind 2.x before 2.9.7 might allow attackers to conduct external XML entity (XXE) attacks by leveraging failure to block unspecified JDK classes from polymorphic deserialization.
CVE-2018-14719 [More information](https://nvd.nist.gov/vuln/detail/CVE-2018-14719)
high severity
*Vulnerable versions:* >= 2.8.0, < 2.8.11.3
*Patched version:* 2.8.11.3
FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the blaze-ds-opt and blaze-ds-core classes from polymorphic deserialization.
CVE-2018-14718 [More information](https://nvd.nist.gov/vuln/detail/CVE-2018-14718)
high severity
*Vulnerable versions:* >= 2.8.0, < 2.8.11.3
*Patched version:* 2.8.11.3
FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the slf4j-ext class from polymorphic deserialization.
CVE-2018-19362 [More information](https://nvd.nist.gov/vuln/detail/CVE-2018-19362)
high severity
*Vulnerable versions:* >= 2.8.0, < 2.8.11.3
*Patched version:* 2.8.11.3
FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the jboss-common-core class from polymorphic deserialization.
CVE-2018-19361 [More information](https://nvd.nist.gov/vuln/detail/CVE-2018-19361)
high severity
*Vulnerable versions:* >= 2.8.0, < 2.8.11.3
*Patched version:* 2.8.11.3
FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the openjpa class from polymorphic deserialization.
CVE-2018-14721 [More information](https://nvd.nist.gov/vuln/detail/CVE-2018-14721)
high severity
*Vulnerable versions:* >= 2.8.0, < 2.8.11.3
*Patched version:* 2.8.11.3
FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct server-side request forgery (SSRF) attacks by leveraging failure to block the axis2-jaxws class from polymorphic deserialization.
TestRail: Results
Attachments
Issue Links
- blocks
-
FOLIO-1683 Security vulnerability reported in jackson-databind >= 2.8.0, < 2.8.11.3
-
- Closed
-
- relates to
-
UXPROD-656 Data Import (Batch Importer for Bib Acq) Infrastructure and Planning
-
- Closed
-