Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

CVE-2018-5968 @ Maven-com.fasterxml.jackson.core:jackson-databind-2.0.4 #501

Closed
cxronen opened this issue Apr 13, 2023 · 0 comments
Closed

CVE-2018-5968 @ Maven-com.fasterxml.jackson.core:jackson-databind-2.0.4 #501

cxronen opened this issue Apr 13, 2023 · 0 comments
Labels
branch:master Checkmarx CxSCA

Comments

@cxronen
Copy link
Owner

cxronen commented Apr 13, 2023

Vulnerable Package issue exists @ Maven-com.fasterxml.jackson.core:jackson-databind-2.0.4 in branch master

FasterXML jackson-databind before 2.6.7.3, 2.7.x before 2.7.9.5, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.4, allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 and CVE-2017-17485 deserialization flaws. This is exploitable via two different gadgets that bypass a blacklist.

Namespace: cxronen
Repository: BookStore_VSCode
Repository Url: https://github.com/cxronen/BookStore_VSCode
CxAST-Project: cxronen/BookStore_VSCode
CxAST platform scan: fc26843f-bb4e-45c5-a7be-bc8203bed522
Branch: master
Application: BookStore_VSCode
Severity: HIGH
State: NOT_IGNORED
Status: RECURRENT
CWE: CWE-502

Additional Info
Attack vector: NETWORK
Attack complexity: HIGH
Confidentiality impact: HIGH
Availability impact: HIGH
Remediation Upgrade Recommendation: 2.6.7.5

References
Advisory
Issue
Commit
@cxronen cxronen closed this as completed Apr 20, 2023
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
branch:master Checkmarx CxSCA
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@cxronen