*SUID-ID's are referencing security issues and bad practices that are not neccessarly exploitable but still might cause issues in certain scenarios.

Description

When checking the online-voting-mixing component we see a vulnerable jackson version imported (evoting-solution-master/source-code/online-voting-mixing/pom.xml):

2.8.9

This version has over 10 CVE's registered: https://www.cvedetails.com/vulnerability-list/vendor_id-15866/product_id-42991/version_id-238178/Fasterxml-Jackson-databind-2.8.9.html

Those include RCE's:

CVE-2018-7489	
FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.

Which can be exploited fairly simply: https://adamcaudill.com/2017/10/04/exploiting-jackson-rce-cve-2017-7525/
Even though this transitive permission is superseded by other projects it still makes sense to reduce external libraries and upgrade it if possible to reduce risk of mistakes.

Timeline

Credits