jackson-databind July 2020 Security Fixes

  • Posted July 23, 2020

  • Updated August 11, 2020

  • Assessed Risk Level: Critical

In June 2020, jackson-databind published security updates addressing several CVEs. Previous releases of PuppetDB and Puppet Enterprise contain a vulnerable version of jackson.core:jackson-databind. PuppetDB 5.2.18, Puppet Enterprise 2018.1.16, and Puppet Enterprise 2019.8.1 contain an updated version of jackson-databind that has patched the vulnerabilities.

For more information about these vulnerabilities, refer to the following links:

Status:

Affected software versions:

  • PuppetDB versions prior to 5.2.18
  • Puppet Enterprise versions prior to 2018.1.16
  • Puppet Enterprise versions prior to 2019.8.1

Resolved in:

  • PuppetDB 5.2.18
  • Puppet Enterprise 2018.1.16
  • Puppet Enterprise 2019.8.1