jackson-databind is vulnerable to remote code execution. The application does not block the commons-configuration
and commons-configuration2
classes during deserialization, which would allow a remote attacker to leverage the vulnerability to execute arbitrary code.
access.redhat.com/errata/RHSA-2020:0729
bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14892
bugzilla.suse.com/show_bug.cgi?id=1157185
github.com/FasterXML/jackson-databind/issues/2462
lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0@%3Cissues.bookkeeper.apache.org%3E
lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E
security.netapp.com/advisory/ntap-20200904-0005/