-
-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy pathsecurity_advisory_event.json
40 lines (40 loc) · 1.51 KB
/
security_advisory_event.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
{
"action": "updated",
"security_advisory": {
"ghsa_id": "GHSA-mx7p-6679-8g3q",
"summary": "Moderate severity vulnerability that affects com.fasterxml.jackson.core:jackson-databind",
"description": "A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the commons-dbcp (1.4) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of org.apache.commons.dbcp.datasources.SharedPoolDataSource and org.apache.commons.dbcp.datasources.PerUserPoolDataSource mishandling.",
"severity": "moderate",
"identifiers": [
{
"value": "GHSA-mx7p-6679-8g3q",
"type": "GHSA"
},
{
"value": "CVE-2019-16942",
"type": "CVE"
}
],
"references": [
{
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-16942"
}
],
"published_at": "2019-10-28T20:51:15Z",
"updated_at": "2019-11-01T17:09:59Z",
"withdrawn_at": null,
"vulnerabilities": [
{
"package": {
"ecosystem": "maven",
"name": "com.fasterxml.jackson.core:jackson-databind"
},
"severity": "moderate",
"vulnerable_version_range": "< 2.9.10.1",
"first_patched_version": {
"identifier": "2.9.10.1"
}
}
]
}
}