Headline

CVE-2020-11112: Block one more gadget type (apache/commons-proxy, CVE-2020-11112) · Issue #2666 · FasterXML/jackson-databind

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.proxy.provider.remoting.RmiProvider (aka apache/commons-proxy).

4 years ago

CVE

Open in Source

#apache #js #git #java

Comments

@cowtowncoder

@cowtowncoder cowtowncoder changed the title Block one more gadget type (commons-proxy) Block one more gadget type (apache/commons-proxy)

Mar 25, 2020

@cowtowncoder cowtowncoder changed the title Block one more gadget type (apache/commons-proxy) Block one more gadget type (apache/commons-proxy, CVE-2020-11112)

Apr 1, 2020

martokarski pushed a commit to atlassian/jackson-1 that referenced this issue

May 8, 2020

qxo added a commit to qxo/jackson-databind that referenced this issue

Sep 21, 2020

@qxo

@qxo qxo mentioned this issue

Sep 21, 2020

cowtowncoder pushed a commit that referenced this issue

Sep 22, 2020

@qxo

#2670 #2680 #2682 #2688 #2698 #2704 #2765 #2798 #2814 #2826 #2827 #2854 (#2858)

generated diff CVE diff git diff ad5a630 – src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
cleanup the diff ,just remain the CVE change
apply the diff
check and make sure only commit the AutoType CVE change.

``` PR_LIST=$(git log1 -n 17 ad5a630 – src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java | awk -F’[ ,]+’ ‘{for(i=1;i<=NF;i++){a=$(i);if(match(a,/#[0-9]+/)){print a;}}}’ | sort | uniq);echo “$PR_LIST” | wc -l echo $PR_LIST ```

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda

11 months ago

11 months ago

11 months ago

11 months ago

11 months ago