This repository has been archived by the owner on Mar 31, 2023. It is now read-only.
CVE-2018-7489 on jackson-databind 2.4.5 #182
Comments
|
Is it possible to update jackson-databind (https://github.com/FasterXML/jackson-databind) to latest release version which is free from this vulnerability? |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
https://nvd.nist.gov/vuln/detail/CVE-2018-7489
FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.
The text was updated successfully, but these errors were encountered: