Source: jackson-databind Version: 2.9.1-1 Severity: grave Tags: patch security upstream Forwarded: https://github.com/FasterXML/jackson-databind/issues/1899 Control: found -1 2.8.6-1+deb9u2 Control: found -1 2.4.2-2+deb8u2
Hi, the following vulnerability was published for jackson-databind. CVE-2018-5968[0]: | FasterXML jackson-databind through 2.8.11 and 2.9.x through 2.9.3 | allows unauthenticated remote code execution because of an incomplete | fix for the CVE-2017-7525 and CVE-2017-17485 deserialization flaws. | This is exploitable via two different gadgets that bypass a blacklist. The upstream issue is at [1], with upstrema fix [2]. If I see it correctly with commit [3] the code was shuffled a bit around, so the patched file is different in meanwhile. If you disagree on the analysis, given I'm unfamiliar iwth jackson-databind let me know. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2018-5968 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5968 [1] https://github.com/FasterXML/jackson-databind/issues/1899 [2] https://github.com/FasterXML/jackson-databind/commit/038b471e2efde2e8f96b4e0be958d3e5a1ff1d05 [3] https://github.com/FasterXML/jackson-databind/commit/2235894210c75f624a3d0cd60bfb0434a20a18bf Regards, Salvatore
