Bug#961298: jodd: CVE-2018-21234: Potential vulnerability in JSON deserialization
Emmanuel Bourg
ebourg at apache.org
Sat May 30 13:50:32 BST 2020
Control: severity -1 important
Le 22/05/2020 à 22:51, Salvatore Bonaccorso a écrit :
> The following vulnerability was published for jodd. I'm filling it as
> RC severity since altough one might dispute the severity for the issue
> itself, it looks that in Debian there was ever only one upload of
> jodd, there are no reverse (build) dependencies neither.
>
> Is the package acutally of some use or planned use?
Thank you for the report Salvatore.
jodd is a new dependency of JMeter 3, I haven't finished the packaging yet.
Note that the fix for CVE-2018-21234 merely adds an optional
whitelisting feature to check the classes being deserialized. But the
default behavior is still the same (no check), so the charge of
addressing the vulnerability is actually shifted to the applications
using jodd.
Emmanuel Bourg
More information about the pkg-java-maintainers
mailing list