FasterXML jackson-databind through 2.8.10 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the Spring libraries are available in the classpath.
Jackson-databind version <= 2.9.3
Jackson-databind version <= 18.104.22.168
Jackson-databind version <= 2.8.10
Jackson-databind version 22.214.171.124
Jackson-databind version 126.96.36.199
Jackson-databind version 2.8.11
@maintainer(s): "Developers are advised to check whether the jackson-databind component is used in applications, and if so, to further check its version number and whether the enableDefaultTyping method is called in the code"
How to check:
1. get source file
2. jackson-databind is included in pom.xml
3. grep for "<artifactId>jackson-databind</artifactId>" and version is affected listed in Affection section.
4.check whether the `enableDefaultTyping` method is called in the code.
If yes for 2,3,4... package is affected.
The bug has been referenced in the following commit(s):
Author: Aaron Bauman <email@example.com>
AuthorDate: 2019-04-13 03:21:11 +0000
Commit: Aaron Bauman <firstname.lastname@example.org>
CommitDate: 2019-04-13 03:22:33 +0000
profiles/package.mask: add dev-java/jackson-databind
* Multiple security vulnerabilities
* No revbump in several years
Signed-off-by: Aaron Bauman <email@example.com>
profiles/package.mask | 12 ++++++++++++
1 file changed, 12 insertions(+)
Package removed from the Portage tree.