Block one more gadget type (HikariCP, CVE-2019-14439 / CVE-2019-16335)

[cowtowncoder]

Another gadget (*) type report regarding HikariConfig (sub-class of HikariDataSource)

Mitre id: CVE-2019-14439
Reporter: kingkk

Fixed in:

• 2.9.10
• 2.8.11.5
• 2.6.7.3
• does not affect 2.10.0 and later

---

(*) See https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062 for more on general problem type

[cowtowncoder]

Blocked added in 2.9 to be included in 2.9.10. Also backport in 2.8 branch but uncertain if new micro-patch will be released (but if it is, that'd be 2.8.11.5)

[louro11]

This was assigned as CVE-2019-16335.

Edit: This was referenced here: https://nvd.nist.gov/vuln/detail/CVE-2019-16335 @cowtowncoder

[cowtowncoder]

@louro11 That is weird. Original reported CVE-2019-14439. Looking at CVE ID you gave seems to be for #2410, but that, too, already has different id.