FasterXML Jackson SSRF Security Bypass

This section describes a vulnerability in Jackson.

Vulnerability A Server-Side Request Forgery (SSRF) vulnerability exists in Jackson.
Details XmlMapper in the Jackson XML dataformat component (also known as the jackson-dataformat-xml) before 2.7.8 and 2.8.x before 2.8.4 allows remote attackers to conduct server-side request forgery attacks through vectors related to a DTD.
Products Affected MapR Drill versions 1.11 and lower
Impact

FasterXML Jackson is prone to a security bypass vulnerability due to a server-side request forgery error. An attacker might exploit this issue to bypass certain security restrictions and perform unauthorized actions leading to further attacks.

Severity High (CVE 8.6)
Bug Tracking MapR JIRA MD-2488
Immediate Action Required Customers should upgrade to MapR Drill 1.12 in the MEP 4.0 release from package.mapr.com/releases/MEP.
References For related information, see: .