-
Notifications
You must be signed in to change notification settings - Fork 2.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix CVE 2017-15095 and CVE-2018-7489 #1597
Comments
For what it is worth, the next (micro-)patch version with fixes to above-mentioned CVEs is Potential risk of CVEs in question is discussed on: and I don't know if SDK uses either Default Typing or polymorphic types (via But I think many/most/all CVE tools are unable to assess actual risk wrt features used and simply assume there is a vulnerability just because someone may use specific feature(s) in question, so even if there were no problems, security tools are likely to flag dependency as risky. |
We will be updating the README shortly about these CVEs. In short the SDK is not affected because we don't use polymorphic deserialization as @cowtowncoder explains above. |
At the time of writing, the AWS SDK depends on
jackson-databind
v2.6.7.1. This version suffers from CVE 2017-15095 and CVE-2018-7489, both of which are critical vulnerabilities.A fix for CVE 2017-15095 was backported to 2.6.7.x in FasterXML/jackson-databind#1945. However, it was never released. I'm also unaware of a backport of FasterXML/jackson-databind#1931.
The text was updated successfully, but these errors were encountered: