Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2020-14060: Block one more gadget type (apache-drill, CVE-2020-14060) · Issue #2688 · FasterXML/jackson-databind

FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.xalan.lib.sql.JNDIConnectionPool (aka apache/drill).

CVE
#sql#apache#js#git#java

@cowtowncoder

martokarski pushed a commit to atlassian/jackson-1 that referenced this issue

May 8, 2020

@cowtowncoder cowtowncoder changed the title Block one more gadget type (-) Block one more gadget type (apache-drill)

Jun 14, 2020

@cowtowncoder cowtowncoder changed the title Block one more gadget type (apache-drill) Block one more gadget type (apache-drill, CVE-2020-14060)

Jun 14, 2020

qxo added a commit to qxo/jackson-databind that referenced this issue

Sep 21, 2020

@qxo

@qxo qxo mentioned this issue

Sep 21, 2020

cowtowncoder pushed a commit that referenced this issue

Sep 22, 2020

@qxo

#2670 #2680 #2682 #2688 #2698 #2704 #2765 #2798 #2814 #2826 #2827 #2854 (#2858)

  1. generated diff CVE diff git diff ad5a630 – src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java

  2. cleanup the diff ,just remain the CVE change

  3. apply the diff

  4. check and make sure only commit the AutoType CVE change.

``` PR_LIST=$(git log1 -n 17 ad5a630 – src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java | awk -F’[ ,]+’ ‘{for(i=1;i<=NF;i++){a=$(i);if(match(a,/#[0-9]+/)){print a;}}}’ | sort | uniq);echo “$PR_LIST” | wc -l echo $PR_LIST ```

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907