Jackson-databind: Block one more gadget type (ehcache, CVE-2019-17267)

Created on 17 Sep 2019  路  3Comments  路  Source: FasterXML/jackson-databind

Another gadget (*) type report regarding a class of ehcache package (follow up for #2387)

Mitre id: CVE-2019-17267
Reporter: lufeirider

Fix included in:

  • 2.9.10
  • 2.8.11.5
  • does not affect 2.10.0 and later

(*) See https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062 for more on general problem type

CVE
Source
picture lufeirider

Most helpful comment

CVE-2019-17267 was assigned to this issue.

picture abergmann on 7 Oct 2019
👍3

All 3 comments

Thank you -- email received, will track progress with this issue. Will update description and title appropriately with more information.

cowtowncoder picture cowtowncoder on 17 Sep 2019

CVE-2019-17267 was assigned to this issue.

abergmann picture abergmann on 7 Oct 2019
👍3

@abergmann thanks!

cowtowncoder picture cowtowncoder on 7 Oct 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

laoyur picture laoyur  路  3Comments
matthewshannon picture matthewshannon  路  4Comments
drekka picture drekka  路  3Comments
kennethjor picture kennethjor  路  5Comments
victornoel picture victornoel  路  3Comments