Uploaded image for project: 'ZooKeeper'
  1. ZooKeeper
  2. ZOOKEEPER-3441

OWASP is flagging jackson-databind-2.9.9.jar for CVE-2019-12814

    XMLWordPrintableJSON

Details

    Description

      OWASP dependency checker is flagging jackson-databind-2.9.9.jar for CVE-2019-12814 (https://nvd.nist.gov/vuln/detail/CVE-2019-12814)
      We should upgrade the library but we are currently using the latest and greatest 2.9.9.

      A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x through 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has JDOM 1.x or 2.x jar in the classpath, an attacker can send a specifically crafted JSON message that allows them to read arbitrary local files on the server.

      We don't have jdom on the classpath, so we are not affected directly by this change, but users that are using ZooKeeper Server in a custom environment should take note of this issue

      this is the issue on Jackson: https://github.com/FasterXML/jackson-databind/issues/2341

      Attachments

        Activity

          People

            phunt Patrick D. Hunt
            eolivelli Enrico Olivelli
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Time Tracking

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 0h
                0h
                Logged:
                Time Spent - 3h
                3h