Jackson Databind CVE-2022-42003

61 views

Skip to first unread message

David E Jones

unread,

Oct 7, 2022, 7:24:20 PM10/7/22

to mo...@googlegroups.com

Jackson Databind has an outstanding vulnerability without a fixed version released yet, so this is a PSA until moqui-framework is updated with the new version:

https://github.com/advisories/GHSA-jjjh-jjxp-wpff

From the details it looks like this is only an issue if the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled, and by default in moqui-framework it is not (for example see ContextJavaUtil.java:579). If you have code that does use this feature then this issue will impact you, otherwise it looks like nothing is needed now.

-David

David E Jones

unread,

Oct 27, 2022, 4:01:16 PM10/27/22

to mo...@googlegroups.com

Quick update on this, jackson-databind is updated in this commit to address this issue:

https://github.com/moqui/moqui-framework/commit/d101a95a229fc45fac6d143aa5a24704fe754797

Reply all

Reply to author

Forward

0 new messages