Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-51344

Jackson-Databind needs to be upgraded to 2.9.4+ to address CVE-2018-5968

    XMLWordPrintable

    Details

    • Similar Issues:

      Description

      Jackson-databind jar needs to be updated to 2.9.4+ to address https://nvd.nist.gov/vuln/detail/CVE-2018-5968

        Attachments

          Activity

          Hide
          danielbeck Daniel Beck added a comment -

          Specifically, the CVE being identified by crappy security scanners, as none of these plugins opt in to the affected feature in jackson-databind, last time I checked at least.

          Show
          danielbeck Daniel Beck added a comment - Specifically, the CVE being identified by crappy security scanners, as none of these plugins opt in to the affected feature in jackson-databind, last time I checked at least.
          Hide
          oleg_nenashev Oleg Nenashev added a comment -

          Bill Stephens just for the future, please follow the https://jenkins.io/security/#reporting-vulnerabilities process if you see security-related issues. Regarding this particular CVE, we recently did investigation, and we didn't discover any usages of the vulnerable API in JIRA. Updates would be nice, but there is no security defect on the Jenkins side. If you see ones, please report them accordingly.

          Generally all listed plugins should switch to Jackson Databind Plugin or Jackson2 API Plugin so that they do not bundle the dependencies on their own

          Show
          oleg_nenashev Oleg Nenashev added a comment - Bill Stephens just for the future, please follow the https://jenkins.io/security/#reporting-vulnerabilities process if you see security-related issues. Regarding this particular CVE, we recently did investigation, and we didn't discover any usages of the vulnerable API in JIRA. Updates would be nice, but there is no security defect on the Jenkins side. If you see ones, please report them accordingly. Generally all listed plugins should switch to Jackson Databind Plugin or Jackson2 API Plugin so that they do not bundle the dependencies on their own
          Hide
          oleg_nenashev Oleg Nenashev added a comment -

          Bill Stephens I suggest creating a separate issue for each plugin in question

          Show
          oleg_nenashev Oleg Nenashev added a comment - Bill Stephens I suggest creating a separate issue for each plugin in question
          Show
          cuks Lai DaZhi added a comment - - edited https://help.aliyun.com/noticelist/articleid/1060030951.html?spm=5176.12809143.sas.12.6532kyPjkyPjSj   CVE-2019-12384

            People

            • Assignee:
              marcelbirkner Marcel Birkner
              Reporter:
              bstephens Bill Stephens
            • Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated: