[ https://issues.apache.org/jira/browse/ZOOKEEPER-3441?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Enrico Olivelli updated ZOOKEEPER-3441: --------------------------------------- Description: OWASP dependency checker is flagging jackson-databind-2.9.9.jar for CVE-2019-12814 (https://nvd.nist.gov/vuln/detail/CVE-2019-12814) We should upgrade the library but we are currently using the latest and greatest 2.9.9. {noformat} A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x through 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has JDOM 1.x or 2.x jar in the classpath, an attacker can send a specifically crafted JSON message that allows them to read arbitrary local files on the server. {noformat} We don't have jdom on the classpath, so we are not affected directly by this change, but users that are using ZooKeeper Server in a custom environment should take note of this issue this is the issue on Jackson: https://github.com/FasterXML/jackson-databind/issues/2341 was: OWASP dependency checker is flagging jackson-databind-2.9.9.jar for CVE-2019-12814 We should upgrade the library or add a suppression. > OWASP is flagging jackson-databind-2.9.9.jar for CVE-2019-12814 > --------------------------------------------------------------- > > Key: ZOOKEEPER-3441 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-3441 > Project: ZooKeeper > Issue Type: Bug > Components: build, security > Affects Versions: 3.6.0 > Reporter: Enrico Olivelli > Assignee: Enrico Olivelli > Priority: Critical > Fix For: 3.6.0 > > > OWASP dependency checker is flagging jackson-databind-2.9.9.jar for > CVE-2019-12814 (https://nvd.nist.gov/vuln/detail/CVE-2019-12814) > We should upgrade the library but we are currently using the latest and > greatest 2.9.9. > {noformat} > A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x > through 2.9.9. When Default Typing is enabled (either globally or for a > specific property) for an externally exposed JSON endpoint and the service > has JDOM 1.x or 2.x jar in the classpath, an attacker can send a specifically > crafted JSON message that allows them to read arbitrary local files on the > server. > {noformat} > We don't have jdom on the classpath, so we are not affected directly by this > change, but users that are using ZooKeeper Server in a custom environment > should take note of this issue > this is the issue on Jackson: > https://github.com/FasterXML/jackson-databind/issues/2341 -- This message was sent by Atlassian JIRA (v7.6.3#76005)