Potential issue with jackson-databind 2.9.9.x #2128

AnEmortalKid · 2019-08-06T20:18:11Z

[CVE-2019-14379](http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-14379

Is being flagged for jackson-databind-xml:

cpe: cpe:/a:fasterxml:jackson:2.9.9  Confidence:Low  suppress
maven: com.fasterxml.jackson.dataformat:jackson-dataformat-xml:2.9.9  Confidence:Highest
cpe: cpe:/a:fasterxml:jackson-databind:2.9.9  Confidence:Highest  suppress

jackson-dataformat-xml-2.9.9.jar (cpe:/a:fasterxml:jackson:2.9.9, com.fasterxml.jackson.dataformat:jackson-dataformat-xml:2.9.9, cpe:/a:fasterxml:jackson-databind:2.9.9) : CVE-2019-14379, CVE-2019-12814

The CVE's were assessed and fixed in the jackson-databind module and not databind-xml: FasterXML/jackson-dataformat-xml#349
FasterXML/jackson-databind#2387

I wasn't entirely sure if this fell under the false positive/negative category or there's something missing that would help associate the 2.9.9.x versions as fixed.

Plugin Version in use:

dependency-check-maven:4.0.2:check

The text was updated successfully, but these errors were encountered:

jeremylong · 2019-09-21T11:35:41Z

The referenced CVE is not fixed in 2.9.9 - it is fixed in 2.9.9.2. Using ODC 5.2.1 these are correctly reported.

AnEmortalKid added the question label Aug 6, 2019

jeremylong added FP Report and removed question labels Aug 7, 2019

jeremylong closed this as completed Sep 21, 2019

lock bot locked and limited conversation to collaborators Oct 21, 2019

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Potential issue with jackson-databind 2.9.9.x #2128

Potential issue with jackson-databind 2.9.9.x #2128

AnEmortalKid commented Aug 6, 2019

jeremylong commented Sep 21, 2019

Potential issue with jackson-databind 2.9.9.x #2128

Potential issue with jackson-databind 2.9.9.x #2128

Comments

AnEmortalKid commented Aug 6, 2019

jeremylong commented Sep 21, 2019