Is SearchGuard Affected by CVE-2020-2653

We are using SeachGuard 6.5.4-24.0 which comprises of jackson-databind-2.8.11.1.jar

There is a vulnerability with the jar which is CVEd as CVE-2020-2653. Is search-guard affected by this vulnerability,if so please update a patch or fix.

SearchGuard is not affected by this vulnerability because it does not enable polymorphic handling in Jackson, which is required for the vulnerability. Furthermore, it only processes trusted data with Jackson.
We will anyway update to the most recent version of Jackson with the next regular release version.

1 Like

Thanks for the update!

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.