GHSA-h4x4-5qp2-wp46
- Source
- https://github.com/advisories/GHSA-h4x4-5qp2-wp46
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/12/GHSA-h4x4-5qp2-wp46/GHSA-h4x4-5qp2-wp46.json
- Aliases
- Published
- 2018-12-21T17:46:54Z
- Modified
- 2024-03-14T05:31:45.849673Z
- Details
-
Fasterxml Jackson version Before 2.9.8 contains a CWE-20: Improper Input Validation vulnerability in Jackson-Databind that can result in Causes a denial-of-service (DoS). This attack appear to be exploitable via The victim deserializes malicious input, specifically very large values in the nanoseconds field of a time value. This vulnerability appears to have been fixed in 2.9.8.
- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2018-1000873
- https://github.com/FasterXML/jackson-modules-java8/issues/90
- https://github.com/FasterXML/jackson-modules-java8/pull/87
- https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
- https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://www.oracle.com/security-alerts/cpuapr2020.html
- https://security.netapp.com/advisory/ntap-20200904-0004
- https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b@%3Ccommits.nifi.apache.org%3E
- https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8@%3Ccommits.pulsar.apache.org%3E
- https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E
- https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3@%3Ccommits.nifi.apache.org%3E
- https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E
- https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E
- https://github.com/advisories/GHSA-h4x4-5qp2-wp46
- https://github.com/FasterXML/jackson-modules-java8
- https://bugzilla.redhat.com/show_bug.cgi?id=1665601
Affected packages
Maven / com.fasterxml.jackson.datatype:jackson-datatype-jsr310
Package
- Name
- com.fasterxml.jackson.datatype:jackson-datatype-jsr310
Affected versions
2.*
2.2.0-beta1
2.2.1-beta2
2.2.2-beta3
2.2.2-beta4
2.2.3-beta5
2.3.0-beta6
2.3.0-beta7
2.3.0-rc1
2.3.1
2.3.2
2.3.3
2.3.4
2.3.5
2.4.0-rc2
2.4.0-rc3
2.4.0
2.4.1
2.4.2
2.4.3
2.4.4
2.4.5
2.4.6
2.5.0-rc1
2.5.0
2.5.1
2.5.2
2.5.3
2.5.4
2.5.5
2.6.0-rc1
2.6.0-rc2
2.6.0-rc3
2.6.0-rc4
2.6.0
2.6.1
2.6.2
2.6.3
2.6.4
2.6.5
2.6.6
2.6.7
2.7.0-rc1
2.7.0-rc2
2.7.0-rc3
2.7.0
2.7.1
2.7.2
2.7.3
2.7.4
2.7.5
2.7.6
2.7.7
2.7.8
2.7.9
2.8.0.rc1
2.8.0.rc2
2.8.0
2.8.1
2.8.2
2.8.3
2.8.4
2.8.5
2.8.6
2.8.7
2.8.8
2.8.9
2.8.10
2.8.11
2.9.0
2.9.0.pr1
2.9.0.pr2
2.9.0.pr3
2.9.0.pr4
2.9.1
2.9.2
2.9.3
2.9.4
2.9.5
2.9.6
2.9.7