Found an escape character in the closing description tag that corrupts the xml.
Bug #1869918 reported by
Borja Arroba
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Ubuntu CVE Tracker |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
We have found an escape character in the CVE description tag closure, which causes the xml to be corrupted.
Exactly the line is as follows:
<description>A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525 by blacklisting more classes that could be used maliciously. \</description>
We have found it in the feeds of:
Xenial Line 40550
Bionic Line 34099
CVE References
To post a comment you must log in.
Thanks for the report. I've fixed this in the CVE tracker in https:/ /git.launchpad. net/ubuntu- cve-tracker/ commit/ ?id=dd75faf42a6 cd0bde2bfb12336 d90724836b192c and the oval data should be regenerated from it in an hour or two.
Unfortunately, we refresh our CVE descriptions from nvd data, but their data has added some bogus junk into it recently. This is from their json description for CVE-2017-15095:
"description" : {
"description_ data" : [ {
"lang" : "en",
"value" : "A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525 by blacklisting more classes that could be used maliciously."
}, {
"lang" : "en",
"value" : "\\"
} ]
}
(It's the second entry consisting of '\\' that caused it to be added.)
There should probably be some filtering both on input to our tracker and in our oval xml output.
THanks for the report!