CVE-2018-7489 @ Maven-com.fasterxml.jackson.core:jackson-databind-2.0.4 #350
Labels
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
{{ message }}
Vulnerable Package issue exists @ Maven-com.fasterxml.jackson.core:jackson-databind-2.0.4 in branch master
FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.
Namespace: cxronen
Repository: BookStore_VSCode
Repository Url: https://github.com/cxronen/BookStore_VSCode
CxAST-Project: cxronen/BookStore_VSCode
CxAST platform scan: bd7a4263-ea5f-49fd-8fdb-752c76ed1f15
Branch: master
Application: BookStore_VSCode
Severity: HIGH
State: NOT_IGNORED
Status: NEW
CWE: CWE-502
Additional Info
Attack vector: NETWORK
Attack complexity: LOW
Confidentiality impact: HIGH
Availability impact: HIGH
Remediation Upgrade Recommendation: 2.6.7.5
References
Advisory
Issue
Commit
The text was updated successfully, but these errors were encountered: