Details
-
Bug
-
Status: Closed
-
Critical
-
Resolution: Fixed
-
3.4.6
-
None
Description
Hello colleagues,
Encountering the following vulnerabilities during Vulas scan when Tinkerpop 3.4.6 =>
- FasterXML jackson-databind 2.x before 2.9.10.2 lacks certain net.sf.ehcache blocking.
- FasterXML jackson-databind 2.0.0 through 2.9.10.2 lacks certain xbean-reflect/JNDI blocking, as demonstrated by org.apache.xbean.propertyeditor.JndiConverter.
- FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig (aka shaded hikari-config).
- FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig (aka ibatis-sqlmap).
- FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPConfig (aka anteros-core).
Vulnerability Id: CVE-2019-20330
Description: FasterXML jackson-databind 2.x before 2.9.10.2 lacks certain net.sf.ehcache blocking.
References:
https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9
https://github.com/FasterXML/jackson-databind/commit/fc4214a883dc087070f25da738ef0d49c2f3387e
https://github.com/FasterXML/jackson-databind/issues/2526
It seems that these issues are resolved in jackson-databind 2.10.2.
Probably a change similar to this one (https://github.com/apache/tinkerpop/pull/1220/files) , but applying 2.10.2 will resolve the vulnerabilities.
Thanks in advance for the help!
Best Regards,
Simeon Andonov
Attachments
Issue Links
- is related to
-
TINKERPOP-2356 Bump to Jackson 2.10.x
-
- Closed
-