Found an escape character in the closing description tag that corrupts the xml.

Bug #1869918 reported by Borja Arroba
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Ubuntu CVE Tracker
Fix Released
Undecided
Unassigned

Bug Description

We have found an escape character in the CVE description tag closure, which causes the xml to be corrupted.

Exactly the line is as follows:

<description>A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525 by blacklisting more classes that could be used maliciously. \</description>

We have found it in the feeds of:

Xenial Line 40550
Bionic Line 34099

CVE References

Revision history for this message
Steve Beattie (sbeattie) wrote :

Thanks for the report. I've fixed this in the CVE tracker in https://git.launchpad.net/ubuntu-cve-tracker/commit/?id=dd75faf42a6cd0bde2bfb12336d90724836b192c and the oval data should be regenerated from it in an hour or two.

Unfortunately, we refresh our CVE descriptions from nvd data, but their data has added some bogus junk into it recently. This is from their json description for CVE-2017-15095:

      "description" : {
        "description_data" : [ {
          "lang" : "en",
          "value" : "A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525 by blacklisting more classes that could be used maliciously."
        }, {
          "lang" : "en",
          "value" : "\\"
        } ]
      }

(It's the second entry consisting of '\\' that caused it to be added.)

There should probably be some filtering both on input to our tracker and in our oval xml output.

THanks for the report!

Revision history for this message
Steve Beattie (sbeattie) wrote :

Accidentally including the secondary entries that sometimes contain garbage input was actually a breakage in our tooling; this has been fixed and so the issue for this CVE should no longer be present.

Thanks for the report!

Changed in ubuntu-cve-tracker:
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.