Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-51344

Jackson-Databind needs to be upgraded to 2.9.4+ to address CVE-2018-5968

      Jackson-databind jar needs to be updated to 2.9.4+ to address https://nvd.nist.gov/vuln/detail/CVE-2018-5968

          [JENKINS-51344] Jackson-Databind needs to be upgraded to 2.9.4+ to address CVE-2018-5968

          Daniel Beck added a comment -

          Specifically, the CVE being identified by crappy security scanners, as none of these plugins opt in to the affected feature in jackson-databind, last time I checked at least.

          Daniel Beck added a comment - Specifically, the CVE being identified by crappy security scanners, as none of these plugins opt in to the affected feature in jackson-databind, last time I checked at least.

          Oleg Nenashev added a comment -

          bstephens just for the future, please follow the https://jenkins.io/security/#reporting-vulnerabilities process if you see security-related issues. Regarding this particular CVE, we recently did investigation, and we didn't discover any usages of the vulnerable API in JIRA. Updates would be nice, but there is no security defect on the Jenkins side. If you see ones, please report them accordingly.

          Generally all listed plugins should switch to Jackson Databind Plugin or Jackson2 API Plugin so that they do not bundle the dependencies on their own

          Oleg Nenashev added a comment - bstephens just for the future, please follow the https://jenkins.io/security/#reporting-vulnerabilities process if you see security-related issues. Regarding this particular CVE, we recently did investigation, and we didn't discover any usages of the vulnerable API in JIRA. Updates would be nice, but there is no security defect on the Jenkins side. If you see ones, please report them accordingly. Generally all listed plugins should switch to Jackson Databind Plugin or Jackson2 API Plugin so that they do not bundle the dependencies on their own

          Oleg Nenashev added a comment -

          bstephens I suggest creating a separate issue for each plugin in question

          Oleg Nenashev added a comment - bstephens I suggest creating a separate issue for each plugin in question

          Lai DaZhi added a comment - - edited

          Lai DaZhi added a comment - - edited https://help.aliyun.com/noticelist/articleid/1060030951.html?spm=5176.12809143.sas.12.6532kyPjkyPjSj   CVE-2019-12384

            marcelbirkner Marcel Birkner
            bstephens Bill Stephens
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated: