CVE-2020-25649: jackson-databind

book

Article ID: 205604

calendar_today

Updated On:

Products

CA Application Performance Management Agent (APM / Wily / Introscope) CA Application Performance Management (APM / Wily / Introscope) INTROSCOPE DX Application Performance Management

Issue/Introduction

 

Code scans have revealed a new vulnerability in Introscope 10.7.0.309: CVE-2020-25649 related to jackson-databind.

Vulnerability Id:
CVE-2020-25649
 
Description:
Addendum: `DOMDeserializer`: setExpandEntityReferences(false) may not prevent external entity expansion in all cases
References:
 
https://github.com/FasterXML/jackson-databind/commit/e588f0af61b18576779ffb95a2a689a5eb1f9d15
https://github.com/FasterXML/jackson-databind/issues/2589
 
 
 
Filename:
com.fasterxml.jackson.core.jackson-databind-2.9.10.6.jar

 

Environment

Release : 10.7.0

Component : Introscope

Resolution

 

An update to jackson-databind-2.9.10.7 was provided in 10.7 Hotfix 75 which is available on request from Broadcom support.