-
Notifications
You must be signed in to change notification settings - Fork 86
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
安全工单10079518 #2382
Labels
bug
Something isn't working
Comments
gavin2lee
added a commit
that referenced
this issue
Jul 13, 2023
gavin2lee
added a commit
that referenced
this issue
Jul 13, 2023
gavin2lee
added a commit
that referenced
this issue
Jul 28, 2023
tangjiawei2017
pushed a commit
that referenced
this issue
Nov 29, 2024
tangjiawei2017
pushed a commit
that referenced
this issue
Nov 29, 2024
tangjiawei2017
pushed a commit
that referenced
this issue
Nov 29, 2024
tangjiawei2017
pushed a commit
that referenced
this issue
Nov 29, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
一、现象描述:
(1.1) jackson-databind: 当前影响版本存在多个严重高危漏洞(CVE-2022-42003、CVE-2022-42004、CVE-2020-24616、CVE-2020-9548、CVE-2020-9547等),攻击者可以通过精心构造的请求包在受影响的 Jackson 服务器上进行远程代码执行、拒绝服务攻击等。
(1.2) snakeyaml: 当前使用版本存在漏洞CVE-2022-1471、CVE-2017-18640、CVE-2022-25857,可导致XML实体扩展攻击、DoS攻击。
(1.3) spring_framework: 当前使用版本存在多个中高危漏洞(CVE-2023-20860、CVE-2015-5211、CVE-2018-1275、CVE-2018-15756等),可导致远程代码执行、反射文件下载攻击、拒绝服务攻击等。
二、修复建议:
结单前请到洞察安全漏洞自查平台(https://uat.dongcha.weoa.com)查询漏洞是否全部修复;
(2.1) jackson-databind: 升级至2.12.7.1、2.13.4.1或以上版本。
(2.2) snakeyaml: 建议升级至2.0版本(注意spring-boot需升级至2.7.10,不然会有兼容性问题),1.27≤snakeyaml<2.0版本范围内,确认未使用Constructor()类可联系提单人延长工单处理时间。
(2.3) spring_framework: 6.0.x用户升级至6.0.7或以上版本;5.3.x用户升级至5.3.26或以上版本;5.2.x用户升级至5.2.22或以上版本;Spring Framework 6.0.x <= 6.0.6、Spring Framework 5.3.x <= 5.3.25范围内,漏洞触发需同时使用spring-security,如确认未使用spring-security可联系提单人延长工单处理时间。
The text was updated successfully, but these errors were encountered: