[JSWSERVER-20705] JSW Server not vulnerable to an Insecure Deserialization issue in Jackson Databind - CVE-2018-14720 - Create and track feature requests for Atlassian products.

Type: Bug
Resolution: Fixed
Priority: Low (View bug fix roadmap)
Fix Version/s: None
Affects Version/s: 8.5.0, 8.5.1, 8.5.2, 8.5.3, 8.5.4
Component/s: Versions
Labels:

Introduced in Version:
8.05
Symptom Severity:
Severity 3 - Minor
Bug Fix Policy:
View Atlassian Server bug fix policy

Scanners may falsely flag some versions of Jira Software Server before 8.5.5 as vulnerable to an Insecure Deserialization issue in Jackson Databind (CVE-2018-14720). This vulnerability in a transitive dependency was being flagged because Jira Software assumed the version of applinks provided by Jira Core was an earlier version of applinks but Jira Core was actually providing a newer version that was not vulnerable to CVE-2018-14720. Jira Software Server has been updated to assume that Jira Core is providing the newer version of applinks so that scanners should not flag this issue in versions after 8.5.5.

There are no comments yet on this issue.

Assignee:: Daniel Rauf

Reporter:: Security Metrics Bot

Affected customers:: 0 This affects my team

Watchers:: 1 Start watching this issue

Created:: 23/Sep/2020 9:05 PM

Updated:: 14/Oct/2020 12:45 AM

Resolved:: 23/Sep/2020 9:06 PM

Jira Software Data Center

Details

Description

Attachments

Forms

Activity

[JSWSERVER-20705] JSW Server not vulnerable to an Insecure Deserialization issue in Jackson Databind - CVE-2018-14720

People

Dates