[
https://issues.apache.org/jira/browse/ZOOKEEPER-3441?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Enrico Olivelli updated ZOOKEEPER-3441:
---------------------------------------
Description:
OWASP dependency checker is flagging jackson-databind-2.9.9.jar for
CVE-2019-12814 (https://nvd.nist.gov/vuln/detail/CVE-2019-12814)
We should upgrade the library but we are currently using the latest and
greatest 2.9.9.
{noformat}
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x
through 2.9.9. When Default Typing is enabled (either globally or for a
specific property) for an externally exposed JSON endpoint and the service has
JDOM 1.x or 2.x jar in the classpath, an attacker can send a specifically
crafted JSON message that allows them to read arbitrary local files on the
server.
{noformat}
We don't have jdom on the classpath, so we are not affected directly by this
change, but users that are using ZooKeeper Server in a custom environment
should take note of this issue
this is the issue on Jackson:
https://github.com/FasterXML/jackson-databind/issues/2341
was:
OWASP dependency checker is flagging jackson-databind-2.9.9.jar for
CVE-2019-12814
We should upgrade the library or add a suppression.
> OWASP is flagging jackson-databind-2.9.9.jar for CVE-2019-12814
> ---------------------------------------------------------------
>
> Key: ZOOKEEPER-3441
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-3441
> Project: ZooKeeper
> Issue Type: Bug
> Components: build, security
> Affects Versions: 3.6.0
> Reporter: Enrico Olivelli
> Assignee: Enrico Olivelli
> Priority: Critical
> Fix For: 3.6.0
>
>
> OWASP dependency checker is flagging jackson-databind-2.9.9.jar for
> CVE-2019-12814 (https://nvd.nist.gov/vuln/detail/CVE-2019-12814)
> We should upgrade the library but we are currently using the latest and
> greatest 2.9.9.
> {noformat}
> A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x
> through 2.9.9. When Default Typing is enabled (either globally or for a
> specific property) for an externally exposed JSON endpoint and the service
> has JDOM 1.x or 2.x jar in the classpath, an attacker can send a specifically
> crafted JSON message that allows them to read arbitrary local files on the
> server.
> {noformat}
> We don't have jdom on the classpath, so we are not affected directly by this
> change, but users that are using ZooKeeper Server in a custom environment
> should take note of this issue
> this is the issue on Jackson:
> https://github.com/FasterXML/jackson-databind/issues/2341
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
