Vulnerability CVE-2020-25649 reported on Elasticsearch 7.17.4

sbrunot · June 10, 2022, 8:19am

Hello,

vulnerability CVE-2020-25649 is reported on the jackson-databind-2.10.4.jar library of the ingest-geoip module of Elasticsearch (modules/ingest-geoip/jackson-databind-2.10.4.jar).

Are there any official statements regarding if this vulnerability does indeed apply to Elasticsearch 7.17.4, or any plan to upgrade jackson-databind to a version that does not have the vulnerability ?

If not, is there any way that I can help upgrading this dependency to a higher version ?

Thanks for your help on this.

ikakavas · June 10, 2022, 2:15pm

Thank you for your report.

Elastic's security reporting guidelines are available at Security issues | Elastic.

Per those guidelines, all reports of potential security issues or vulnerabilities should be sent via email to security@elastic.co.

We are unable to discuss potential issues of this nature here. Please send your report to the email address above, where it can be appropriately handled.

sbrunot · June 13, 2022, 7:36am

email sent, thank you @ikakavas.

system · July 11, 2022, 7:36am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Vulnerability CVE-2020-28491 reported on Elasticsearch 7.17.4 Elasticsearch	3	422	July 11, 2022
Vulnerability CVE-2020-13956 reported on Elasticsearch 7.17.4 Elasticsearch	5	342	July 18, 2022
Elastic search 7.13 found vulnerable in Twistlock report Elasticsearch docker	4	682	October 22, 2021
Vulnerabilities in latest docker image of Elasticsearch 8.3.1 Elasticsearch docker	2	751	August 16, 2022
Logstash--jackson-databind vulnerabilities for logstash-7.9.0 Logstash	1	342	December 8, 2020

Vulnerability CVE-2020-25649 reported on Elasticsearch 7.17.4

Related Topics