Is SearchGuard Affected by CVE-2020-2653

Kasinaat_Selvi_Sukesh · March 30, 2020, 4:25am

We are using SeachGuard 6.5.4-24.0 which comprises of jackson-databind-2.8.11.1.jar

There is a vulnerability with the jar which is CVEd as CVE-2020-2653. Is search-guard affected by this vulnerability,if so please update a patch or fix.

srgbnd · March 30, 2020, 8:06am

SearchGuard is not affected by this vulnerability because it does not enable polymorphic handling in Jackson, which is required for the vulnerability. Furthermore, it only processes trusted data with Jackson.
We will anyway update to the most recent version of Jackson with the next regular release version.

Praveen_Giri · March 30, 2020, 8:32am

Thanks for the update!

system · April 20, 2020, 8:32am

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Seach Guard and CVE-2022-42889 Search Guard	3	609	November 15, 2022
CVE-2022-46364 \| GHSA-x3x3-qwjq-8gj4 Security Issue on SearchGuard Search Guard	2	564	March 13, 2023
CVE-2021-38153 Security issue in Searchguard package Search Guard	2	326	March 3, 2023
Search Guard for Elasticsearch 6.8.21 CVE-2021-44228 Search Guard	1	772	January 4, 2022
Update on the Log4J2 RCE Vulnerability - CVE-2021-44228 Announcements	2	1344	December 28, 2021

Is SearchGuard Affected by CVE-2020-2653

Related Topics