Uploaded image for project: 'SonarQube'
  1. SonarQube
  2. SONAR-11783

CVE-2018-14718, 14719, 14720, 14721 / jackson-databind

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: 6.7, 7.6
    • Fix Version/s: 6.7.7, 7.7
    • Component/s: None
    • Labels:
      None
    • Edition:
      Community
    • Production Notes:
      None

      Description

      A customer has reported that a security scan flagged Jackson Databind 2.9.5 as being vulnerable to the following CVEs

      jackson-databind 2.9.5 is used in both SonarQube 6.7.6 LTS and SonarQube 7.6

      https://github.com/sonarsource/sonarqube/blob/branch-6.7/pom.xml

          <jackson.version>2.9.5</jackson.version>
      

      https://github.com/SonarSource/sonar-enterprise/blob/master/build.gradle

            dependencySet(group: 'com.fasterxml.jackson.core', version: '2.9.5') {
              entry 'jackson-core'
              entry 'jackson-databind'
              entry 'jackson-annotations'
            }
      

      The latest version of Jackson Databind is 2.9.8. 2.9.7 is the version of Jackson Databind that addressed the listed CVEs, and 2.9.8 addresses the following additional CVEs

        Attachments

          Activity

            People

            Assignee:
            michal.duda Michal Duda (Inactive)
            Reporter:
            lars.svensson Lars Svensson (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Due:
              Created:
              Updated:
              Resolved: