Block one more gadget type (org.docx4j.org.apache:xalan-interpretive, CVE-2020-36183) #3003

Closed

Labels

Milestone

opened

Another gadget type(s) reported regarding class(es) of org.docx4j.org.apache:xalan-interpretive library.
See https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062 for description of the general problem.

Reporter(s): differ (of Zorelworld iLab team)
Mitre id: CVE-2020-36183

Note: derivative of #2469 (embedded Xalan)

Fix is included in:

2.9.10.8
2.6.7.5
Not considered valid CVE for Jackson 2.10.0 and later (see https://medium.com/@cowtowncoder/jackson-2-10-safe-default-typing-2d018f0ce2ba)

Metadata

Assignees

No one assigned

Labels

Type

No type

Projects

No projects

Milestone

2.9.10.8

Relationships

None yet

Development

No branches or pull requests