RCE jackson-databind

2019-11-19T20:26:41
ID ATLASSIAN:BAM-20722
Type atlassian
Reporter smoorthy
Modified 2019-11-19T21:11:04

Description

h3. Issue Summary https://hello.atlassian.net/wiki/spaces/SECURITY/pages/566213966/CVE-2019-17267+Investigation+jackson-databind+RCE+again

h3. Steps to Reproduce # search on stash for jackson-databind # https://stash.atlassian.com/plugins/servlet/search?q=project%3ABAM%20repo%3Abamboo%20jackson-databind

h3. Expected Results

version 2.10.0 or above

h3. Actual Results

are there vulnerable versions in this repo or others that belong to Bamboo? The below exception is thrown in the xxxxxxx.log file: {noformat} ... {noformat}

h3. Workaround Currently there is no known workaround for this