Headline
CVE-2020-14060: Block one more gadget type (apache-drill, CVE-2020-14060) · Issue #2688 · FasterXML/jackson-databind
FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.xalan.lib.sql.JNDIConnectionPool (aka apache/drill).
martokarski pushed a commit to atlassian/jackson-1 that referenced this issue
May 8, 2020
cowtowncoder changed the title Block one more gadget type (-) Block one more gadget type (apache-drill)
Jun 14, 2020
cowtowncoder changed the title Block one more gadget type (apache-drill) Block one more gadget type (apache-drill, CVE-2020-14060)
Jun 14, 2020
qxo added a commit to qxo/jackson-databind that referenced this issue
Sep 21, 2020
qxo mentioned this issue
Sep 21, 2020
cowtowncoder pushed a commit that referenced this issue
Sep 22, 2020
#2670 #2680 #2682 #2688 #2698 #2704 #2765 #2798 #2814 #2826 #2827 #2854 (#2858)
generated diff CVE diff git diff ad5a630 – src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
cleanup the diff ,just remain the CVE change
apply the diff
check and make sure only commit the AutoType CVE change.
``` PR_LIST=$(git log1 -n 17 ad5a630 – src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java | awk -F’[ ,]+’ ‘{for(i=1;i<=NF;i++){a=$(i);if(match(a,/#[0-9]+/)){print a;}}}’ | sort | uniq);echo “$PR_LIST” | wc -l echo $PR_LIST ```