CVE-2019-10202 Improper Input Validation

[thle40]

Published: 2019-10-01
Updated: 2021-07-29
Description

A series of deserialization vulnerabilities have been discovered in Codehaus 1.9.x implemented in EAP 7. This CVE fixes CVE-2017-17485, CVE-2017-7525, CVE-2017-15095, CVE-2018-5968, CVE-2018-7489, CVE-2018-1000873, CVE-2019-12086 reported for FasterXML jackson-databind by implementing a whitelist approach that will mitigate these vulnerabilities and future ones alike.

Overview

org.codehaus.jackson:jackson-mapper-asl is a high-performance data binding package built on Jackson JSON processor.

Affected versions of this package are vulnerable to Improper Input Validation which results in several instances of deserialization of untrusted data. This issue is parallel to vulnerabilities reported and fixed in jackson-databind (CVE-2017-17485, CVE-2017-7525, CVE-2017-15095, CVE-2018-5968, CVE-2018-7489, CVE-2018-1000873, CVE-2019-12086). Although no fix is available for codehaus,
References

[Apache Security Advisory](https://lists.apache.org/thread.html/r500867b74f42230a3d65b8aec31fc93ac390eeae737c91a759ab94cb@%3Cissues.hive.apache.org%3E)
[Apache Security Advisory](https://lists.apache.org/thread.html/refea6018a2c4e9eb7838cab567ed219c3f726dcd83a5472fbb80d8d9@%3Cissues.flume.apache.org%3E)
[GitHub Issue](https://github.com/FasterXML/jackson-databind/issues/2700)

Recommending fix: this vulnerability can be remediated by using a fixed version of jackson-databind.
https://mvnrepository.com/artifact/com.fasterxml.jackson.core/jackson-databind