Skip to content

Block yet another gadget type (jdom, CVE-2019-12814) #2341

@cowtowncoder

Description

@cowtowncoder

Similar to other polymorphic types with no limits, but for XXE with jdom2.jar, tracked as CVE-2019-12814.

See https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062 for description of the general problem.

Fixed in:

  • 2.9.10
  • 2.8.11.4
  • 2.7.9.6
  • 2.6.7.3

Metadata

Metadata

Assignees

No one assigned

    Labels

    CVEIssues related to public CVEs (security vuln reports)

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions