Security vulnerabilities

Anil Kumar September 14, 2020

Hi ,Have a Good Day , we are using the atlassian/jira-software:8.9 image from hub.Docker.com in our Env
We found some vulnerabilities while scanning the image through Atrifactory X-ray scanner


FasterXML jackson-databind before 2.7.9.3, 2.8.x
before 2.8.11.1 and 2.9.x before 2.9.5 allows
unauthenticated remote code execution because of
an incomplete fix for the CVE-2017-7525
deserialization flaw. This is exploitable by sending
maliciously crafted JSON input to the readValue
method of the ObjectMapper, bypassing a blacklist
that is ineffective if the c3p0 libraries are available
in the classpath.
High security JFrog com.fasterxml.jackson.core:ja
ckson-databind
< 2.7.9.3,2.8.0 <= Version <
2.8.11.1,2.9.0.pr1 <= Version < 2.9.5
Fixed version = 2.9.5,2.8.11.1,2.7.9.3 2020-08-11T02:11:
29-05:00
High

https://nvd.nist.gov/vuln/detail/CVE-2017-7525


1 answer

0 votes
Daniel Ebers
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
October 11, 2020

Hi Anil,

usually you can find in release notes information about fixed security vulnerabilities. That means: the version they are fixed with are usually listed in release notes:
https://confluence.atlassian.com/jirasoftware/jira-software-8-5-x-release-notes-975014654.html
The above example is for Jira v8.5.

For the current finding (CVE-2017-7525) please consider the statement that no products is known to be affected.

In case you are convinced this statement has to be revised you can report them to Security team. Here in Community the likeliness that it will be seen is rather small.

Cheers,
Daniel

Suggest an answer

Log in or Sign up to answer