org.codehaus.jackson:jackson-mapper-asl@1.5.7 vulnerabilities

org.codehaus.jackson:jackson-mapper-asl is a high-performance data binding package built on Jackson JSON processor.

Affected versions of this package are vulnerable to Improper Input Validation which results in several instances of deserialization of untrusted data. This issue is parallel to vulnerabilities reported and fixed in jackson-databind (CVE-2017-17485, CVE-2017-7525, CVE-2017-15095, CVE-2018-5968, CVE-2018-7489, CVE-2018-1000873, CVE-2019-12086). Although no fix is available for codehaus, this vulnerability can be remediated by using a fixed version of jackson-databind.

There is no fixed version for org.codehaus.jackson:jackson-mapper-asl.

org.codehaus.jackson:jackson-mapper-asl is a high-performance data binding package built on Jackson JSON processor.

Affected versions of this package are vulnerable to XML External Entity (XXE) Injection. via the DOMDeserializer.class file and its inner classes (DocumentDeserializer.class and NodeDeserializer.class) that uses the _parserFactory instance without restricting it from processing external XML entities when parsing user input.

There is no fixed version for org.codehaus.jackson:jackson-mapper-asl.

For org.codehaus.jackson:jackson-all releases supporting jackson-mapper-asl. As a workaround, for 1.9.X release, the javax.xml.XMLConstants.FEATURE_SECURE_PROCESSING setting can be enabled. For 2.x releases, the "javax.xml.stream.isSupportingExternalEntities setting can be set to FALSE.