CVE: 2019-16943 found in jackson-databind - Version: 2.4.2 [JAVA] #39

github-actions · 2024-01-17T22:47:47Z

Veracode Software Composition Analysis

Attribute	Details
Library	jackson-databind
Description	General data-binding functionality for Jackson: works on core streaming API
Language	JAVA
Vulnerability	Remote Code Execution (RCE)
Vulnerability description	jackson-databind is vulnerable to remote code execution (RCE). The vulnerability exists as it does not stop classes from the `p6spy` package from being used as deserialization gadgets.
CVE	2019-16943
CVSS score	6.8
Vulnerability present in version/s	2.0.0-RC1-2.6.7.2
Found library version/s	2.4.2
Vulnerability fixed in version	2.6.7.3
Library latest version	2.16.1
Fix	Apply the indicated patch (v2.9.10.1) instead of upgrading directly to 2.10.0. If upgrading to the next minor version, use the new safe methods for default typing and whitelisting. Refer to (FasterXML/jackson-databind#2195 (comment))

Links:

The text was updated successfully, but these errors were encountered:

github-actions · 2024-01-17T22:47:48Z

Veracode issue link to PR: #2

github-actions · 2024-01-17T22:54:54Z

Veracode issue link to PR: #43

github-actions bot added Severity: High High severity Veracode Dependency Scanning A Veracode identified vulnerability labels Jan 17, 2024