Assessor 4.5.1 contains vulnerable jackson-databind component (CVSS v3: Score: 8.1)

1 votes

Hello,
with all respect for your great and hard work, this is to let you know, that the latest (as well as previous releases) Assessor contains vulnerable component at .\Assessor\lib\jackson-databind-2.16.0.jar
The vulnerability is described under CVE ID: CVE-2020-36183, with description:
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.docx4j.org.apache.xalan.lib.sql.JNDIConnectionPool.

With hope you're going to update this component,
and regards,
Michał

Done Suggested by: Michał Wawer (11 Mar, '25) • Upvoted: 11 Mar, '25 • Comments: 2

Comments: 2
Oldest • Newest • Most likes • Fewest likes

11 Mar, '25
Moderator Admin
Hi Michal,

Thanks for your comment. As indicated in the description that you provided in this request, CVE-2020-36183 applies to jackson-databind before v2.9.10.8. And, as indicated in this request, Assessor is on v2.16. Since we are using a much later version, this vulnerability is not applicable to Assessor. If this was the result of a vulnerability scan, it seems likely that the scanner is providing a false positive in this case.

Thanks,
Aaron
20 Mar, '25
Michał Wawer
Hello Aaron, yes you were right, this is a false positive confirmed by our scan engine vendor. Thanks for your prompt reply at March 11, and sorry for my oversight.
Regards,
Michał

Assessor 4.5.1 contains vulnerable jackson-databind component (CVSS v3: Score: 8.1)

Comments: 2 Oldest • Newest • Most likes • Fewest likes

Comments: 2
Oldest • Newest • Most likes • Fewest likes