Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Block one more gadget type (shiro-core) #2648

Closed
cowtowncoder opened this issue Mar 10, 2020 · 1 comment
Closed

Block one more gadget type (shiro-core) #2648

cowtowncoder opened this issue Mar 10, 2020 · 1 comment
Labels
CVE Issues related to public CVEs (security vuln reports)
Milestone
2.9.10.4

Comments

@cowtowncoder
Copy link
Member

cowtowncoder commented Mar 10, 2020
edited
Loading

Another gadget type reported regarding a class of shiro-core package.
See https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062 for description of the general problem.

Reporter: (not public)

Fix will be included in:

  • 2.9.10.4
  • 2.8.11.6 (jackson-bom version 2.8.11.20200310)
  • 2.7.9.7
  • Does not affect 2.10.0 and later
@cowtowncoder cowtowncoder added this to the 2.9.10.4 milestone Mar 10, 2020
qxo pushed a commit to qxo/jackson-databind that referenced this issue Mar 10, 2020
@cowtowncoder @qxo
Fix FasterXML#2648
818aa3e
cowtowncoder added a commit that referenced this issue Mar 10, 2020
@cowtowncoder
Fix #2648
3240cab
@cowtowncoder
Copy link
Member Author

Note: there is some suspicion that class blocked might not, in fact, be exploitable, by attackers.
But block is added in abundance of caution as there does not seem to be any chance type would have legit uses.
In general, however, we try to limit to real threats and not include speculative blocks.

This was referenced Mar 11, 2020
Closed
Closed
@cowtowncoder cowtowncoder changed the title Block one more gadget type (shiro-core, CVE-to-be-allocated) Block one more gadget type (shiro-core) Mar 18, 2020
martokarski pushed a commit to atlassian/jackson-1 that referenced this issue May 8, 2020
@mtokarski-atlassian
Block one more gadget type (shiro-core)
b9954f7 
Merged from FasterXML/jackson-databind#2648
@cowtowncoder cowtowncoder added the CVE Issues related to public CVEs (security vuln reports) label Jul 16, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
CVE Issues related to public CVEs (security vuln reports)
Projects
None yet
Milestone
2.9.10.4
Development

No branches or pull requests
1 participant
@cowtowncoder