Hi ,Have a Good Day , we are using the atlassian/jira-software:8.9 image from hub.Docker.com in our Env
We found some vulnerabilities while scanning the image through Atrifactory X-ray scanner
FasterXML jackson-databind before 2.7.9.3, 2.8.x
before 2.8.11.1 and 2.9.x before 2.9.5 allows
unauthenticated remote code execution because of
an incomplete fix for the CVE-2017-7525
deserialization flaw. This is exploitable by sending
maliciously crafted JSON input to the readValue
method of the ObjectMapper, bypassing a blacklist
that is ineffective if the c3p0 libraries are available
in the classpath.
High security JFrog com.fasterxml.jackson.core:ja
ckson-databind
< 2.7.9.3,2.8.0 <= Version <
2.8.11.1,2.9.0.pr1 <= Version < 2.9.5
Fixed version = 2.9.5,2.8.11.1,2.7.9.3 2020-08-11T02:11:
29-05:00
High
https://nvd.nist.gov/vuln/detail/CVE-2017-7525
Hi Anil,
usually you can find in release notes information about fixed security vulnerabilities. That means: the version they are fixed with are usually listed in release notes:
https://confluence.atlassian.com/jirasoftware/jira-software-8-5-x-release-notes-975014654.html
The above example is for Jira v8.5.
For the current finding (CVE-2017-7525) please consider the statement that no products is known to be affected.
In case you are convinced this statement has to be revised you can report them to Security team. Here in Community the likeliness that it will be seen is rather small.
Cheers,
Daniel
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.