Uploaded image for project: 'Jira Software Data Center'
  1. Jira Software Data Center
  2. JSWSERVER-20705

JSW Server not vulnerable to an Insecure Deserialization issue in Jackson Databind - CVE-2018-14720

XMLWordPrintable

      Scanners may falsely flag some versions of Jira Software Server before 8.5.5 as vulnerable to an Insecure Deserialization issue in Jackson Databind (CVE-2018-14720). This vulnerability in a transitive dependency was being flagged because Jira Software assumed the version of applinks provided by Jira Core was an earlier version of applinks but Jira Core was actually providing a newer version that was not vulnerable to CVE-2018-14720. Jira Software Server has been updated to assume that Jira Core is providing the newer version of applinks so that scanners should not flag this issue in versions after 8.5.5.

            [JSWSERVER-20705] JSW Server not vulnerable to an Insecure Deserialization issue in Jackson Databind - CVE-2018-14720

            David Black made changes -
            Labels Original: CVE-2018-14720 cvss-critical security vulnerable-components New: CVE-2018-14720 advisory advisory-released cvss-critical security vulnerable-components
            AB made changes -
            Description Original: Scanners may falsely flag some versions of Jira Software Server before 8.5.5 as vulnerable to an Insecure Deserialization issue in Jackson Databind (CVE-2018-14720). This vulnerability in a transitive dependency was being flagged because Jira Software assumed the version of applinks provided by Jira Core was an earlier version of applinks but Jira Core was actually providing a newer version that was not vulnerable to CVE-2018-14720. Jira Software Server has been updated to assume that Jira Core is providing the newer version of applinks so that scanners should not flag this issue in versions after 8.5.5 New: Scanners may falsely flag some versions of Jira Software Server before 8.5.5 as vulnerable to an Insecure Deserialization issue in Jackson Databind (CVE-2018-14720). This vulnerability in a transitive dependency was being flagged because Jira Software assumed the version of applinks provided by Jira Core was an earlier version of applinks but Jira Core was actually providing a newer version that was not vulnerable to CVE-2018-14720. Jira Software Server has been updated to assume that Jira Core is providing the newer version of applinks so that scanners should not flag this issue in versions after 8.5.5.
            AB made changes -
            Reporter Original: AB [ ablack@atlassian.com ] New: Security Metrics Bot [ security-metrics-bot ]
            Erin Jensby made changes -
            Symptom Severity Original: Severity 1 - Critical [ 15830 ] New: Severity 3 - Minor [ 15832 ]
            Erin Jensby made changes -
            Security Original: Reporter and Atlassian Staff [ 10751 ]
            Erin Jensby made changes -
            Description Original: Scanners may falsely flag some versions of Jira Software Server before 8.5.5 as vulnerable to an Insecure Deserialization issue in Jackson Databind (CVE-2018-14720). This transitive dependency was being flagged because Jira Software assumed the version of applinks provided by Jira Core was an earlier version of applinks but Jira Core was actually providing a newer version that was not vulnerable to CVE-2018-14720. Jira Software Server has been updated to assume that Jira Core is providing the newer version of applinks so that scanners should not flag this issue in versions after 8.5.5 New: Scanners may falsely flag some versions of Jira Software Server before 8.5.5 as vulnerable to an Insecure Deserialization issue in Jackson Databind (CVE-2018-14720). This vulnerability in a transitive dependency was being flagged because Jira Software assumed the version of applinks provided by Jira Core was an earlier version of applinks but Jira Core was actually providing a newer version that was not vulnerable to CVE-2018-14720. Jira Software Server has been updated to assume that Jira Core is providing the newer version of applinks so that scanners should not flag this issue in versions after 8.5.5
            Erin Jensby made changes -
            Description Original: Scanners may falsely flag some versions of Jira Software Server before 8.5.5 as vulnerable to an Insecure Deserialization issue in Jackson Databind (CVE-2018-14720). This transitive dependency was being flagged because Jira Software assumed the version of applinks provided by Jira Core was an earlier version of applinks but Jira Core was actually providing a newer version that was not vulnerable to CVE-2018-14720. Jira Software Server has been updated to assume that Jira Core is providing the newer version so that scanners should not flag this issue in versions after 8.5.5 New: Scanners may falsely flag some versions of Jira Software Server before 8.5.5 as vulnerable to an Insecure Deserialization issue in Jackson Databind (CVE-2018-14720). This transitive dependency was being flagged because Jira Software assumed the version of applinks provided by Jira Core was an earlier version of applinks but Jira Core was actually providing a newer version that was not vulnerable to CVE-2018-14720. Jira Software Server has been updated to assume that Jira Core is providing the newer version of applinks so that scanners should not flag this issue in versions after 8.5.5
            Erin Jensby made changes -
            Description Original: Some scanners falsely flag versions of Jira Software Server as vulnerable to an Insecure Deserialization issue in Jackson Databind (CVE-2018-14720). Jira Software Server was not actually using vulnerable versions of Jackson Databind but has been updated so that scanners should not flag this issue. New: Scanners may falsely flag some versions of Jira Software Server before 8.5.5 as vulnerable to an Insecure Deserialization issue in Jackson Databind (CVE-2018-14720). This transitive dependency was being flagged because Jira Software assumed the version of applinks provided by Jira Core was an earlier version of applinks but Jira Core was actually providing a newer version that was not vulnerable to CVE-2018-14720. Jira Software Server has been updated to assume that Jira Core is providing the newer version so that scanners should not flag this issue in versions after 8.5.5
            Bugfix Automation Bot made changes -
            Introduced in Version Original: 8.5 New: 8.05
            Erin Jensby made changes -
            Affects Version/s New: 8.5.4 [ 91092 ]
            Affects Version/s New: 8.5.3 [ 90704 ]
            Affects Version/s New: 8.5.2 [ 89605 ]
            Affects Version/s New: 8.5.1 [ 89601 ]
            Affects Version/s New: 8.5.0 [ 87495 ]
            Affects Version/s Original: 8.7.1 [ 91206 ]

              drauf Daniel Rauf
              security-metrics-bot Security Metrics Bot
              Affected customers:
              0 This affects my team
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: