Jackson-databind: Block one more gadget type (logback, CVE-2019-14439)

Created on 24 Jul 2019  路  8Comments  路  Source: FasterXML/jackson-databind

Another gadget type report regarding logback/JNDI.

Mitre id: CVE-2019-14439
Reporter: [email protected] (Badcode of Knownsec 404 Team)

Fixed in:

  • 2.9.10
  • 2.8.11.4
  • 2.7.9.6
  • 2.6.7.3
CVE
Source
picture cowtowncoder
👍2

Most helpful comment

@jdelta-RBS yup, same old shite.

picture cowtowncoder on 25 Jul 2019
👍2

All 8 comments

Similar to #2341 and others? -_-

jdelta-RBS picture jdelta-RBS on 25 Jul 2019

@jdelta-RBS yup, same old shite.

cowtowncoder picture cowtowncoder on 25 Jul 2019
👍2

Is this the correct CVE? According to https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14439 CVE-2019-14439 was assigned for this issue.

carnil picture carnil on 30 Jul 2019

I don't know. I guess this is downside of my not requesting CVE IDs -- looks like we now have TWO cve ids for same thing. :-/

Will the real CVE-for-logback please stand up?

cowtowncoder picture cowtowncoder on 31 Jul 2019

Hi

On Tue, Jul 30, 2019 at 03:35:23PM -0700, Tatu Saloranta wrote:

I don't know. I guess this is downside of my not requesting CVE IDs
-- looks like we now have TWO cve ids for same thing. :-/

Uh okay!

I asked MITRE (via https://cveform.mitre.org/) if they can look up and
reject one of those.

carnil picture carnil on 31 Jul 2019

Thank you.

cowtowncoder picture cowtowncoder on 31 Jul 2019

CVE-2019-14361 was rejected. Update the title to prevent confusion?

nluedtke picture nluedtke on 2 Aug 2019

Done. Will need to try to hunt down refs in other places now.

cowtowncoder picture cowtowncoder on 2 Aug 2019
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

drekka picture drekka  路  3Comments
victornoel picture victornoel  路  3Comments
MarkusKull picture MarkusKull  路  4Comments
test88d picture test88d  路  5Comments
trevora-edge picture trevora-edge  路  5Comments