Block one more gadget type (org.glassfish.web/javax.servlet.jsp.jstl, CVE-2020-35728) #2999
Description
Another gadget type(s) reported regarding class(es) of org.glassfish.web/javax.servlet.jsp.jstl library.
See https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062 for description of the general problem.
Reporter(s): bu5yer (of Sangfor FarSight Security Lab)
Mitre id: CVE-2020-35728
Note: derivative of #2469 (embedded Xalan)
Fix is included in:
- 2.9.10.8
- 2.6.7.5
- Not considered valid CVE for Jackson 2.10.0 and later (see https://medium.com/@cowtowncoder/jackson-2-10-safe-default-typing-2d018f0ce2ba)