{"schema_version":"1.7.2","id":"OESA-2022-1782","modified":"2022-07-26T11:04:02Z","published":"2022-07-26T11:04:02Z","upstream":["CVE-2019-17531"],"summary":"jackson-databind security update","details":"The general-purpose data-binding functionality and tree-model for Jackson Data Processor. It builds on core streaming parser/generator package, and uses Jackson Annotations for configuration.\r\n\r\nSecurity Fix(es):\r\n\r\nA Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the apache-log4j-extra (version 1.2.x) jar in the classpath, and an attacker can provide a JNDI service to access, it is possible to make the service execute a malicious payload.(CVE-2019-17531)","affected":[{"package":{"ecosystem":"openEuler:20.03-LTS-SP1","name":"jackson-databind","purl":"pkg:rpm/openEuler/jackson-databind\u0026distro=openEuler-20.03-LTS-SP1"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.9.8-8.oe1"}]}],"ecosystem_specific":{"noarch":["jackson-databind-2.9.8-8.oe1.noarch.rpm","jackson-databind-javadoc-2.9.8-8.oe1.noarch.rpm"],"src":["jackson-databind-2.9.8-8.oe1.src.rpm"]}},{"package":{"ecosystem":"openEuler:20.03-LTS-SP3","name":"jackson-databind","purl":"pkg:rpm/openEuler/jackson-databind\u0026distro=openEuler-20.03-LTS-SP3"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.9.8-8.oe1"}]}],"ecosystem_specific":{"noarch":["jackson-databind-2.9.8-8.oe1.noarch.rpm","jackson-databind-javadoc-2.9.8-8.oe1.noarch.rpm"],"src":["jackson-databind-2.9.8-8.oe1.src.rpm"]}}],"references":[{"type":"ADVISORY","url":"https://openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1782"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2019-17531"}],"database_specific":{"severity":"Critical"}}