Uploaded image for project: 'SonarQube'
  1. SonarQube
  2. SONAR-11783

CVE-2018-14718, 14719, 14720, 14721 / jackson-databind

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: 6.7, 7.6
    • Fix Version/s: 6.7.7, 7.7
    • Component/s: None
    • Labels:
      None
    • Edition:
      Community
    • Production Notes:
      None

      Description

      A customer has reported that a security scan flagged Jackson Databind 2.9.5 as being vulnerable to the following CVEs

      jackson-databind 2.9.5 is used in both SonarQube 6.7.6 LTS and SonarQube 7.6

      https://github.com/sonarsource/sonarqube/blob/branch-6.7/pom.xml

          <jackson.version>2.9.5</jackson.version>
      

      https://github.com/SonarSource/sonar-enterprise/blob/master/build.gradle

            dependencySet(group: 'com.fasterxml.jackson.core', version: '2.9.5') {
              entry 'jackson-core'
              entry 'jackson-databind'
              entry 'jackson-annotations'
            }
      

      The latest version of Jackson Databind is 2.9.8. 2.9.7 is the version of Jackson Databind that addressed the listed CVEs, and 2.9.8 addresses the following additional CVEs

        Attachments

          Activity

            People

            • Assignee:
              michal.duda Michal Duda
              Reporter:
              lars.svensson Lars Svensson (Inactive)
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Due:
                Created:
                Updated:
                Resolved: