I’m using searchgurad v6_6_5_4_24_0. In that jackson-databind-126.96.36.199 jar is been used which is vulnerable to remote code execution. Kindly update a fix for this.
Reference link : https://blog.csdn.net/weixin_45728976/article/details/104887700?fps=1&locationNum=2
SearchGuard is not affected by this vulnerability because it does not enable polymorphic handling in Jackson, which is required for the vulnerability. Furthermore, it only processes trusted data with Jackson.
We will anyway update to the most recent version of Jackson with the next regular release version.
This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.
Will be included in the next v41 release of Serch Guard