Uploaded image for project: 'ZooKeeper'
  1. ZooKeeper
  2. ZOOKEEPER-3441

OWASP is flagging jackson-databind-2.9.9.jar for CVE-2019-12814

    XMLWordPrintableJSON

    Details

      Description

      OWASP dependency checker is flagging jackson-databind-2.9.9.jar for CVE-2019-12814 (https://nvd.nist.gov/vuln/detail/CVE-2019-12814)
      We should upgrade the library but we are currently using the latest and greatest 2.9.9.

      A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x through 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has JDOM 1.x or 2.x jar in the classpath, an attacker can send a specifically crafted JSON message that allows them to read arbitrary local files on the server.
      

      We don't have jdom on the classpath, so we are not affected directly by this change, but users that are using ZooKeeper Server in a custom environment should take note of this issue

      this is the issue on Jackson: https://github.com/FasterXML/jackson-databind/issues/2341

        Attachments

          Activity

            People

            • Assignee:
              phunt Patrick D. Hunt
              Reporter:
              eolivelli Enrico Olivelli
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Time Tracking

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 0h
                0h
                Logged:
                Time Spent - 3h
                3h