advisory-database icon indicating copy to clipboard operation
advisory-database copied to clipboard
verified publisher icon github

[GHSA-qxxx-2pp7-5hmx] jackson-databind is vulnerable to a deserialization flaw

Open SunBK201 opened this issue 1 year ago • 1 comments

Updates

  • Affected products

Comments https://mvnrepository.com/artifact/com.fasterxml.jackson.core/jackson-databind

SunBK201 avatar Jun 05 '24 13:06 SunBK201

Hi @SunBK201, all of the reference links for GHSA-qxxx-2pp7-5hmx that I checked say that versions of com.fasterxml.jackson.core:jackson-databind prior to version 2.6.0 are affected by CVE-2017-7525. I'm unable to find any evidence in https://mvnrepository.com/artifact/com.fasterxml.jackson.core/jackson-databind or the reference links of GHSA-qxxx-2pp7-5hmx to demonstrate that com.fasterxml.jackson.core:jackson-databind prior to version 2.6.0 is not affected by CVE-2017-7525. Unless you are able to find evidence that versions prior to 2.6.0 aren't vulnerable, I can't accept the contribution.

shelbyc avatar Jun 05 '24 14:06 shelbyc