Block some more DBCP-related potential gadget classes (CVE-2020-36179 - CVE-2020-36182)

One additional, not-yet-blocked type of Apache DBCP (1.x/2.x) library was reported as possible gadget type and should be blocked.
See https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062 for description of the general problem.

Reporter(s): Al1ex@knownsec
Mitre id(s): 

* [CVE-2020-36179](CVE-2020-36179)
* [CVE-2020-36180](CVE-2020-36180)
* [CVE-2020-36181](CVE-2020-36181)
* [CVE-2020-36182](CVE-2020-36182)

Fix is included in:

*  2.9.10.8
* 2.6.7.5
 * Not considered valid CVE for Jackson 2.10.0 and later (see https://medium.com/@cowtowncoder/jackson-2-10-safe-default-typing-2d018f0ce2ba)


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Block some more DBCP-related potential gadget classes (CVE-2020-36179 - CVE-2020-36182) #3004

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development