GHSA-h4x4-5qp2-wp46
Suggest an improvement- Source
- https://github.com/advisories/GHSA-h4x4-5qp2-wp46
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/12/GHSA-h4x4-5qp2-wp46/GHSA-h4x4-5qp2-wp46.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-h4x4-5qp2-wp46
- Aliases
- Published
- 2018-12-21T17:46:54Z
- Modified
- 2024-03-14T05:31:45.849673Z
- Severity
-
- 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- Moderate severity vulnerability that affects com.fasterxml.jackson.datatype:jackson-datatype-jsr353
- Details
-
Fasterxml Jackson version Before 2.9.8 contains a CWE-20: Improper Input Validation vulnerability in Jackson-Databind that can result in Causes a denial-of-service (DoS). This attack appear to be exploitable via The victim deserializes malicious input, specifically very large values in the nanoseconds field of a time value. This vulnerability appears to have been fixed in 2.9.8.
- Database specific
{ "nvd_published_at": "2018-12-20T17:29:00Z", "cwe_ids": [ "CWE-20" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2020-06-16T21:38:51Z" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2018-1000873
- https://github.com/FasterXML/jackson-modules-java8/issues/90
- https://github.com/FasterXML/jackson-modules-java8/pull/87
- https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
- https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://www.oracle.com/security-alerts/cpuapr2020.html
- https://security.netapp.com/advisory/ntap-20200904-0004
- https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b@%3Ccommits.nifi.apache.org%3E
- https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8@%3Ccommits.pulsar.apache.org%3E
- https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E
- https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3@%3Ccommits.nifi.apache.org%3E
- https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E
- https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E
- https://github.com/advisories/GHSA-h4x4-5qp2-wp46
- https://github.com/FasterXML/jackson-modules-java8
- https://bugzilla.redhat.com/show_bug.cgi?id=1665601
Affected packages
Maven / com.fasterxml.jackson.datatype:jackson-datatype-jsr310
Package
- Name
- com.fasterxml.jackson.datatype:jackson-datatype-jsr310
- View open source insights on deps.dev
- Purl
- pkg:maven/com.fasterxml.jackson.datatype/jackson-datatype-jsr310
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed2.9.8
Affected versions
2.*
2.2.0-beta1
2.2.1-beta2
2.2.2-beta3
2.2.2-beta4
2.2.3-beta5
2.3.0-beta6
2.3.0-beta7
2.3.0-rc1
2.3.1
2.3.2
2.3.3
2.3.4
2.3.5
2.4.0-rc2
2.4.0-rc3
2.4.0
2.4.1
2.4.2
2.4.3
2.4.4
2.4.5
2.4.6
2.5.0-rc1
2.5.0
2.5.1
2.5.2
2.5.3
2.5.4
2.5.5
2.6.0-rc1
2.6.0-rc2
2.6.0-rc3
2.6.0-rc4
2.6.0
2.6.1
2.6.2
2.6.3
2.6.4
2.6.5
2.6.6
2.6.7
2.7.0-rc1
2.7.0-rc2
2.7.0-rc3
2.7.0
2.7.1
2.7.2
2.7.3
2.7.4
2.7.5
2.7.6
2.7.7
2.7.8
2.7.9
2.8.0.rc1
2.8.0.rc2
2.8.0
2.8.1
2.8.2
2.8.3
2.8.4
2.8.5
2.8.6
2.8.7
2.8.8
2.8.9
2.8.10
2.8.11
2.9.0
2.9.0.pr1
2.9.0.pr2
2.9.0.pr3
2.9.0.pr4
2.9.1
2.9.2
2.9.3
2.9.4
2.9.5
2.9.6
2.9.7