Giacomo Boccardo created CXF-7752: ------------------------------------- Summary: CVE-2018-5968 and CVE-2018-7489 Key: CXF-7752 URL: https://issues.apache.org/jira/browse/CXF-7752 Project: CXF Issue Type: Improvement Reporter: Giacomo Boccardo
Analyzing the dependencies of my project using OWASP Dependency Check a transitive dependency of org.apache.cxf:cxf-rt-ws-security:jar:3.2.4:compile shows two issues in {color:#000000}ehcache-{color}{color:#990000}2.10.4.{color}{color:#000000}jar/rest-management-{color}{color:#7f0055}*private*{color}{color:#000000}-classpath/META-INF/maven/com.fasterxml.jackson.core/jackson-databind/pom.xml{color} {color:#000000}and the following explanations are reported:{color} {color:#000000}FasterXML jackson-databind through 2.8.11 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 and CVE-2017-17485 deserialization flaws. This is exploitable via two different gadgets that bypass a blacklist.{color} {color:#000000}FasterXML jackson-databind before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.{color} Please consider updating net.sf.ehcache:ehcache:jar:2.10.4 when/if it solves CVE-2018-5968 and CVE-2018-7489. -- This message was sent by Atlassian JIRA (v7.6.3#76005)