||Scytl Secure Vote (sVote)
When checking the online-voting-mixing component we see a vulnerable jackson version imported (evoting-solution-master/source-code/online-voting-mixing/pom.xml
This version has over 10 CVE's registered: https://www.cvedetails.com/vulnerability-list/vendor_id-15866/product_id-42991/version_id-238178/Fasterxml-Jackson-databind-2.8.9.html
Those include RCE's:
FasterXML jackson-databind before 126.96.36.199, 2.8.x before 188.8.131.52 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.
Which can be exploited fairly simply: https://adamcaudill.com/2017/10/04/exploiting-jackson-rce-cve-2017-7525/
Even though this transitive permission is superseded by other projects it still makes sense to reduce external libraries and upgrade it if possible to reduce risk of mistakes.
- Feb 09, 2019 - Submitted issue to vendor
- Feb 13, 2019 - Vendor acknowledged the issue
Jannis Kirschner & Anthony Schneiter from Team SUID
*SUID-ID's are referencing security issues and bad practices that are not neccessarly exploitable but still might cause issues in certain scenarios.