[JIRA] (JENKINS-51344) Jackson-Databind needs to be upgraded to 2.9.4+ to address CVE-2018-5968

bill@stephensfamily.us (JIRA)

unread,

May 15, 2018, 10:40:02 AM5/15/18

to jenkinsc...@googlegroups.com

Bill Stephens created an issue

Jenkins /

JENKINS-51344

Jackson-Databind needs to be upgraded to 2.9.4+ to address CVE-2018-5968

Issue Type:	Improvement
Assignee:	Marcel Birkner
Components:	ec2-deployment-dashboard-plugin, github-plugin, jira-plugin
Created:	2018-05-15 14:39
Priority:	Major
Reporter:	Bill Stephens

Jackson-databind jar needs to be updated to 2.9.4+ to address https://nvd.nist.gov/vuln/detail/CVE-2018-5968

Add Comment

This message was sent by Atlassian JIRA (v7.3.0#73011-sha1:3c73d0e)

dbeck@cloudbees.com (JIRA)

unread,

May 15, 2018, 10:47:02 AM5/15/18

to jenkinsc...@googlegroups.com

Daniel Beck commented on

JENKINS-51344

Re: Jackson-Databind needs to be upgraded to 2.9.4+ to address CVE-2018-5968

Specifically, the CVE being identified by crappy security scanners, as none of these plugins opt in to the affected feature in jackson-databind, last time I checked at least.

Add Comment

o.v.nenashev@gmail.com (JIRA)

unread,

May 15, 2018, 10:50:02 AM5/15/18

to jenkinsc...@googlegroups.com

Oleg Nenashev commented on

JENKINS-51344

Re: Jackson-Databind needs to be upgraded to 2.9.4+ to address CVE-2018-5968

Bill Stephens just for the future, please follow the https://jenkins.io/security/#reporting-vulnerabilities process if you see security-related issues. Regarding this particular CVE, we recently did investigation, and we didn't discover any usages of the vulnerable API in JIRA. Updates would be nice, but there is no security defect on the Jenkins side. If you see ones, please report them accordingly.

Generally all listed plugins should switch to Jackson Databind Plugin or Jackson2 API Plugin so that they do not bundle the dependencies on their own