Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[SECURITY] RCE vulnerability in dependency jackson-databind #952

Closed
JLLeitschuh opened this issue Feb 14, 2019 · 0 comments
Closed

[SECURITY] RCE vulnerability in dependency jackson-databind #952

JLLeitschuh opened this issue Feb 14, 2019 · 0 comments
Assignees
@cy6erGn0m
Milestone
1.1.3

Comments

@JLLeitschuh
Copy link
Contributor

JLLeitschuh commented Feb 14, 2019
edited
Loading

In the past month, there have been a significant number of security vulnerabilities and CVE numbers issued against jackson-databind.

This vunerability has a CVSSv3 score of 9.8/10.

https://nvd.nist.gov/vuln/search/results?form_type=Basic&results_type=overview&query=+jackson-databind&search_type=all

Ktor depends upon version 2.9.2 of jackson-module-kotlin:

ktor/ktor-features/ktor-jackson/build.gradle

Lines 5 to 7 in 24c7b56

dependencies {
api group: 'com.fasterxml.jackson.module', name: 'jackson-module-kotlin', version: '2.9.2'
}

jackson-module-kotlin has a dependency upon jackson-databind:
https://mvnrepository.com/artifact/com.fasterxml.jackson.module/jackson-module-kotlin/2.9.2

Related #773
@JLLeitschuh JLLeitschuh changed the title [SECURITY] jackson-databind RCE vulnerability in dependencies [SECURITY] RCE vulnerability in dependency jackson-databind Feb 14, 2019
JLLeitschuh added a commit to JLLeitschuh/ktor that referenced this issue Feb 14, 2019
@JLLeitschuh
Update to jackson version 2.9.8
f4c9ad9 
Security fix in jackson-databind:
https://nvd.nist.gov/vuln/search/results?form_type=Basic&results_type=overview&query=+jackson-databind&search_type=all

Closes ktorio#952
@JLLeitschuh JLLeitschuh mentioned this issue Feb 14, 2019
Merged
@cy6erGn0m cy6erGn0m added this to the 1.2.1 milestone Feb 15, 2019
cy6erGn0m pushed a commit that referenced this issue Feb 16, 2019
@JLLeitschuh @cy6erGn0m
Update to jackson version 2.9.8
0005ecb 
Security fix in jackson-databind:
https://nvd.nist.gov/vuln/search/results?form_type=Basic&results_type=overview&query=+jackson-databind&search_type=all

Closes #952
cy6erGn0m pushed a commit that referenced this issue Feb 16, 2019
@JLLeitschuh
Update to jackson version 2.9.8
26bfe69 
Security fix in jackson-databind:
https://nvd.nist.gov/vuln/search/results?form_type=Basic&results_type=overview&query=+jackson-databind&search_type=all

Closes #952

(cherry picked from commit 0005ecb)
schleinzer pushed a commit to schleinzer/ktor that referenced this issue Feb 26, 2019
@JLLeitschuh
Update to jackson version 2.9.8
3335ed3 
Security fix in jackson-databind:
https://nvd.nist.gov/vuln/search/results?form_type=Basic&results_type=overview&query=+jackson-databind&search_type=all

Closes ktorio#952
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@cy6erGn0m cy6erGn0m

Labels
None yet
Projects
None yet
Milestone
1.1.3
Development

No branches or pull requests
2 participants
@cy6erGn0m @JLLeitschuh