Ubuntu CVE Tracker

Found an escape character in the closing description tag that corrupts the xml.

Bug #1869918 reported by Borja Arroba on 2020-03-31

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Ubuntu CVE Tracker	Fix Released	Undecided	Unassigned

Bug Description

We have found an escape character in the CVE description tag closure, which causes the xml to be corrupted.

Exactly the line is as follows:

<description>A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525 by blacklisting more classes that could be used maliciously. \</description>

We have found it in the feeds of:

Xenial Line 40550
Bionic Line 34099

CVE References

Revision history for this message

Steve Beattie (sbeattie) wrote on 2020-03-31:

Thanks for the report. I've fixed this in the CVE tracker in https://git.launchpad.net/ubuntu-cve-tracker/commit/?id=dd75faf42a6cd0bde2bfb12336d90724836b192c and the oval data should be regenerated from it in an hour or two.

Unfortunately, we refresh our CVE descriptions from nvd data, but their data has added some bogus junk into it recently. This is from their json description for CVE-2017-15095:

      "description" : {
        "description_data" : [ {
          "lang" : "en",
          "value" : "A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525 by blacklisting more classes that could be used maliciously."
        }, {
          "lang" : "en",
          "value" : "\\"
        } ]
      }

(It's the second entry consisting of '\\' that caused it to be added.)

There should probably be some filtering both on input to our tracker and in our oval xml output.

THanks for the report!

Revision history for this message

Steve Beattie (sbeattie) wrote on 2020-05-27:

Accidentally including the secondary entries that sometimes contain garbage input was actually a breakage in our tooling; this has been fixed and so the issue for this CVE should no longer be present.

Thanks for the report!

Changed in ubuntu-cve-tracker:
status:	New → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.