CVE-2018-11307 (Medium) detected in jackson-databind-2.9.5.jar #433

mend-bolt-for-github · 2019-05-07T14:00:40Z

CVE-2018-11307 - Medium Severity Vulnerability

Vulnerable Library - jackson-databind-2.9.5.jar

General data-binding functionality for Jackson: works on core streaming API

Path to dependency file: /alfresco-repository/pom.xml

Path to vulnerable library: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.5/jackson-databind-2.9.5.jar

Dependency Hierarchy:

alfresco-heartbeat-data-sender-1.0.9.jar (Root Library)
- ❌ jackson-databind-2.9.5.jar (Vulnerable Library)

Vulnerability Details

jackson-databind has a Potential information exfiltration with default typing. versions 2.7.9.x < 2.7.9.4, 2.8.x < 2.8.11.2, 2.9.x < 2.9.6

Publish Date: 2018-12-13

CVSS 2 Score Details (6.8)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Release Date: 2019-03-17

Fix Resolution: jackson-databind-2.9.6

Step up your Open Source Security Game with WhiteSource here

ancutam · 2019-06-05T16:30:37Z

Version upgraded to 2.9.8

mend-bolt-for-github bot added the security vulnerability Security vulnerability detected by WhiteSource label May 7, 2019

ancutam closed this as completed Jun 5, 2019