Package: jackson-databind X-Debbugs-CC: [email protected] Severity: important Tags: security
Hi, I will take care of this one myself. The following vulnerability was published for jackson-databind. CVE-2019-12086[0]: | A Polymorphic Typing issue was discovered in FasterXML jackson- | databind 2.x before 2.9.9. When Default Typing is enabled (either | globally or for a specific property) for an externally exposed JSON | endpoint, the service has the mysql-connector-java jar (8.0.14 or | earlier) in the classpath, and an attacker can host a crafted MySQL | server reachable by the victim, an attacker can send a crafted JSON | message that allows them to read arbitrary local files on the server. | This occurs because of missing com.mysql.cj.jdbc.admin.MiniAdmin | validation. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2019-12086 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12086 Please adjust the affected versions in the BTS as needed.
signature.asc
Description: OpenPGP digital signature
