Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Block one more gadget type (HikariCP, CVE-2019-14540) #2410

Closed
iSafeBlue opened this issue Aug 6, 2019 · 8 comments
Closed

Block one more gadget type (HikariCP, CVE-2019-14540) #2410

iSafeBlue opened this issue Aug 6, 2019 · 8 comments
Labels
CVE Issues related to public CVEs (security vuln reports)
Milestone

Comments

@iSafeBlue
Copy link

iSafeBlue commented Aug 6, 2019

Another gadget (*) type report regarding HikariConfig, via HikariDataSource

Mitre id: CVE-2019-14540
Reporter: iSafeBlue / blue at ixsec.org

(*) See https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062 for more on general problem type

Fixed in:

  • 2.9.10
  • 2.8.11.5
  • 2.6.7.3
  • does not affect 2.10.0 and later
@Ramos-dev
Copy link

it also work find on fastjson.

@cowtowncoder
Copy link
Member

Thank you for the report -- I got the email and had a look at linked to explanation.
Seems legit.

@jdelta-RBS
Copy link

maybe this one will get 3 CVEs : )

@cowtowncoder cowtowncoder added 2.8 CVE Issues related to public CVEs (security vuln reports) labels Aug 9, 2019
@cowtowncoder
Copy link
Member

Block added, will be included in:

  • 2.9.10
  • 2.10.0.pr2 (and final 2.10.0)

also backported in 2.8 branch but not sure if any more releases for 2.8 will be made.

@OrangeDog
Copy link

When is 2.9.10 being released?
Looks like another repeat of the delay on the previous security fixes.

@cowtowncoder
Copy link
Member

@OrangeDog 2.9.10 will be released after 2.10.0, likely in 2 weeks.

@jordandev
Copy link

No 2.9.9.4 micro patch for this?

@cowtowncoder
Copy link
Member

Nope.

ablekhman added a commit to atlassian/jackson-1 that referenced this issue Oct 23, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
CVE Issues related to public CVEs (security vuln reports)
Projects
None yet
Development

No branches or pull requests

6 participants