Bug 1715075 (CVE-2019-10172) - CVE-2019-10172 jackson-mapper-asl: XML external entity similar to CVE-2016-3720
Summary: CVE-2019-10172 jackson-mapper-asl: XML external entity similar to CVE-2016-3720
Keywords:
Status: NEW
Alias: CVE-2019-10172
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 1697692
TreeView+ depends on / blocked
 
Reported: 2019-05-29 14:04 UTC by Pedro Sampaio
Modified: 2020-01-03 13:39 UTC (History)
86 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in org.codehaus.jackson:jackson-mapper-asl:1.9.x libraries such that an XML external entity (XXE) vulnerability affects codehaus's jackson-mapper-asl libraries. This vulnerability is similar to CVE-2016-3720. The primary threat from this flaw is data integrity.
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)

Description Pedro Sampaio 2019-05-29 14:04:56 UTC
A flaw was found in org.codehaus.jackson:jackson-mapper-asl:1.9.x libraries. XML external entity vulnerabilities similar CVE-2016-3720 also affects codehaus jackson-mapper-asl libraries but in different classes.

References:

https://stackoverflow.com/questions/38017676/small-fix-for-cve-2016-3720-with-older-versions-of-jackson-all-1-9-11-and-in-ja/38017721

Comment 3 Jason Shepherd 2019-08-08 04:41:25 UTC
This vulnerability is out of security support scope for the following product:

 * Red Hat Mobile Application Platform

 Please refer to https://access.redhat.com/support/policy/updates/rhmap for more details

Comment 4 Joshua Padman 2019-08-12 02:26:23 UTC
This vulnerability is out of security support scope for the following products:
 * Red Hat JBoss A-MQ 6
 * Red Hat JBoss Data Virtualization & Services 6
 * Red Hat JBoss Fuse Service Works 6
 * Red Hat JBoss Fuse 6

Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.

Comment 7 Marian Rehak 2019-11-18 14:50:23 UTC
Acknowledgments:

Name: Brian Stansberry (Red Hat)

Comment 8 Paramvir jindal 2019-11-19 09:04:10 UTC
RHSSO 7.3.3 ships :
rh-sso-7.3/modules/system/layers/base/org/codehaus/jackson/jackson-mapper-asl/main/jackson-mapper-asl-1.9.13.redhat-4.jar

Seems affected hence creating tracker for RHSSO.


Note You need to log in before you can comment on or make changes to this bug.