Jackson-databind: Block one more gadget type (HikariCP, CVE-2019-14540)

Created on 6 Aug 2019  路  8Comments  路  Source: FasterXML/jackson-databind

Another gadget (*) type report regarding HikariConfig, via HikariDataSource

Mitre id: CVE-2019-14540
Reporter: iSafeBlue / blue at ixsec.org

(*) See https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062 for more on general problem type

Fixed in:

  • 2.9.10
  • 2.8.11.5
  • 2.6.7.3
  • does not affect 2.10.0 and later
CVE
Source
picture iSafeBlue

Most helpful comment

No 2.9.9.4 micro patch for this?

picture jordandev on 20 Sep 2019
👍3 👎1

All 8 comments

it also work find on fastjson.

Ramos-dev picture Ramos-dev on 6 Aug 2019

Thank you for the report -- I got the email and had a look at linked to explanation.
Seems legit.

cowtowncoder picture cowtowncoder on 6 Aug 2019

maybe this one will get 3 CVEs : )

jdelta-RBS picture jdelta-RBS on 6 Aug 2019

Block added, will be included in:

  • 2.9.10
  • 2.10.0.pr2 (and final 2.10.0)

also backported in 2.8 branch but not sure if any more releases for 2.8 will be made.

cowtowncoder picture cowtowncoder on 10 Aug 2019

When is 2.9.10 being released?
Looks like another repeat of the delay on the previous security fixes.

OrangeDog picture OrangeDog on 19 Sep 2019
👎2

@OrangeDog 2.9.10 will be released after 2.10.0, likely in 2 weeks.

cowtowncoder picture cowtowncoder on 19 Sep 2019

No 2.9.9.4 micro patch for this?

jordandev picture jordandev on 20 Sep 2019
👍3 👎1

Nope.

cowtowncoder picture cowtowncoder on 20 Sep 2019
👎1 👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

lathspell picture lathspell  路  6Comments
kennethjor picture kennethjor  路  5Comments
victornoel picture victornoel  路  3Comments
laoyur picture laoyur  路  3Comments
aburnett picture aburnett  路  5Comments