[GHSA-5jmj-h7xm-6q6v] jackson-databind has case-insensitive deserialization bypasses per-property @JsonIgnoreProperties#8406
Conversation
|
Hi there @cowtowncoder! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository. This change will be reviewed by our Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory |
There was a problem hiding this comment.
Pull request overview
Updates the GitHub-reviewed advisory record for GHSA-5jmj-h7xm-6q6v (jackson-databind case-insensitive deserialization bypass) by adjusting the affected-version metadata for the Maven package.
Changes:
- Updates the advisory
modifiedtimestamp. - Changes the
fixedversion for the2.19.0affected range to2.22.0. - Adds
affected[].database_specific.last_known_affected_version_rangefor the same range (< 2.21.5).
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| }, | ||
| { | ||
| "fixed": "2.21.5" | ||
| "fixed": "2.22.0" |
|
Related issue on jackson-databind: FasterXML/jackson-databind#5962 @ataillefer There should also be range block for |
Yes thanks @cowtowncoder , I wasn't aware of FasterXML/jackson-databind#5962 and the actual patch versions. Though, I don't know how to amend this pull request, since I am not authorized to push to the related branch: |
aaf4c90
into
ataillefer/advisory-improvement-8406
|
Hi @ataillefer! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future! |
Updates
Comments
For Affected versions >= 2.19.0, < 2.21.5, the Patched versions is marked as 2.21.5. Though, looking at the Maven Central repository for this artifact, the latest version above 2.21.4 is 2.22.0.
Running a grype scan of our project's artifacts with jackson-databind upgraded from 2.21.4 to 2.22.0 doesn't report the GHSA-5jmj-h7xm-6q6v vulnearbility anymore.