add fix-commits to 39 jackson-databind CVEs

stschott · copernico · commit f7ac313b4a0e · 2024-09-23T13:15:07.000+02:00
diff --git a/statements/CVE-2017-15095/statement.yaml b/statements/CVE-2017-15095/statement.yaml
@@ -1,6 +1,11 @@
 vulnerability_id: CVE-2017-15095
 notes:
 - text: A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525 by blacklisting more classes that could be used maliciously.
+fixes:
+- id: DEFAULT_BRANCH
+  commits:
+  - id: ddfddfba6414adbecaff99684ef66eebd3a92e92
+    repository: https://github.com/FasterXML/jackson-databind
 artifacts:
 - id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.8.11
   reason: Reviewed manually
diff --git a/statements/CVE-2018-14718/statement.yaml b/statements/CVE-2018-14718/statement.yaml
@@ -1,6 +1,11 @@
 vulnerability_id: CVE-2018-14718
 notes:
 - text: FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the slf4j-ext class from polymorphic deserialization.
+fixes:
+- id: DEFAULT_BRANCH
+  commits:
+  - id: 87d29af25e82a249ea15858e2d4ecbf64091db44
+    repository: https://github.com/FasterXML/jackson-databind
 artifacts:
 - id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.1.1
   reason: Reviewed manually
diff --git a/statements/CVE-2018-14719/statement.yaml b/statements/CVE-2018-14719/statement.yaml
@@ -1,6 +1,11 @@
 vulnerability_id: CVE-2018-14719
 notes:
 - text: FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the blaze-ds-opt and blaze-ds-core classes from polymorphic deserialization.
+fixes:
+- id: DEFAULT_BRANCH
+  commits:
+  - id: 87d29af25e82a249ea15858e2d4ecbf64091db44
+    repository: https://github.com/FasterXML/jackson-databind
 artifacts:
 - id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.1.1
   reason: Reviewed manually
diff --git a/statements/CVE-2018-14720/statement.yaml b/statements/CVE-2018-14720/statement.yaml
@@ -1,6 +1,11 @@
 vulnerability_id: CVE-2018-14720
 notes:
 - text: FasterXML jackson-databind 2.x before 2.9.7 might allow attackers to conduct external XML entity (XXE) attacks by leveraging failure to block unspecified JDK classes from polymorphic deserialization.
+fixes:
+- id: DEFAULT_BRANCH
+  commits:
+  - id: 87d29af25e82a249ea15858e2d4ecbf64091db44
+    repository: https://github.com/FasterXML/jackson-databind
 artifacts:
 - id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.1.1
   reason: Reviewed manually
diff --git a/statements/CVE-2018-14721/statement.yaml b/statements/CVE-2018-14721/statement.yaml
@@ -1,6 +1,11 @@
 vulnerability_id: CVE-2018-14721
 notes:
 - text: FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct server-side request forgery (SSRF) attacks by leveraging failure to block the axis2-jaxws class from polymorphic deserialization.
+fixes:
+- id: DEFAULT_BRANCH
+  commits:
+  - id: 87d29af25e82a249ea15858e2d4ecbf64091db44
+    repository: https://github.com/FasterXML/jackson-databind
 artifacts:
 - id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.1.1
   reason: Reviewed manually
diff --git a/statements/CVE-2018-19360/statement.yaml b/statements/CVE-2018-19360/statement.yaml
@@ -1,6 +1,11 @@
 vulnerability_id: CVE-2018-19360
 notes:
 - text: FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the axis2-transport-jms class from polymorphic deserialization.
+fixes:
+- id: DEFAULT_BRANCH
+  commits:
+  - id: 72cd4025a229fb28ec133235003dd4616f70afaa
+    repository: https://github.com/FasterXML/jackson-databind
 artifacts:
 - id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.5.1
   reason: Reviewed manually
diff --git a/statements/CVE-2018-19361/statement.yaml b/statements/CVE-2018-19361/statement.yaml
@@ -1,6 +1,11 @@
 vulnerability_id: CVE-2018-19361
 notes:
 - text: FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the openjpa class from polymorphic deserialization.
+fixes:
+- id: DEFAULT_BRANCH
+  commits:
+  - id: 72cd4025a229fb28ec133235003dd4616f70afaa
+    repository: https://github.com/FasterXML/jackson-databind
 artifacts:
 - id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.8.11
   reason: Reviewed manually
diff --git a/statements/CVE-2018-19362/statement.yaml b/statements/CVE-2018-19362/statement.yaml
@@ -1,6 +1,11 @@
 vulnerability_id: CVE-2018-19362
 notes:
 - text: FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the jboss-common-core class from polymorphic deserialization.
+fixes:
+- id: DEFAULT_BRANCH
+  commits:
+  - id: 72cd4025a229fb28ec133235003dd4616f70afaa
+    repository: https://github.com/FasterXML/jackson-databind
 artifacts:
 - id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.8.11
   reason: Reviewed manually
diff --git a/statements/CVE-2019-12086/statement.yaml b/statements/CVE-2019-12086/statement.yaml
@@ -1,6 +1,11 @@
 vulnerability_id: CVE-2019-12086
 notes:
 - text: A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint, the service has the mysql-connector-java jar (8.0.14 or earlier) in the classpath, and an attacker can host a crafted MySQL server reachable by the victim, an attacker can send a crafted JSON message that allows them to read arbitrary local files on the server. This occurs because of missing com.mysql.cj.jdbc.admin.MiniAdmin validation.
+fixes:
+- id: DEFAULT_BRANCH
+  commits:
+  - id: dda513bd7251b4f32b7b60b1c13740e3b5a43024
+    repository: https://github.com/FasterXML/jackson-databind
 artifacts:
 - id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.7.0
   reason: Reviewed manually
diff --git a/statements/CVE-2019-12384/statement.yaml b/statements/CVE-2019-12384/statement.yaml
@@ -1,6 +1,11 @@
 vulnerability_id: CVE-2019-12384
 notes:
 - text: FasterXML jackson-databind 2.x before 2.9.9.1 might allow attackers to have a variety of impacts by leveraging failure to block the logback-core class from polymorphic deserialization. Depending on the classpath content, remote code execution may be possible.
+fixes:
+- id: DEFAULT_BRANCH
+  commits:
+  - id: c9ef4a10d6f6633cf470d6a469514b68fa2be234
+    repository: https://github.com/FasterXML/jackson-databind
 artifacts:
 - id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.1.1
   reason: Reviewed manually
diff --git a/statements/CVE-2019-12814/statement.yaml b/statements/CVE-2019-12814/statement.yaml
@@ -1,6 +1,11 @@
 vulnerability_id: CVE-2019-12814
 notes:
 - text: A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x through 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has JDOM 1.x or 2.x jar in the classpath, an attacker can send a specifically crafted JSON message that allows them to read arbitrary local files on the server.
+fixes:
+- id: DEFAULT_BRANCH
+  commits:
+  - id: 5f7c69bba07a7155adde130d9dee2e54a54f1fa5
+    repository: https://github.com/FasterXML/jackson-databind
 artifacts:
 - id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.1.1
   reason: Reviewed manually
diff --git a/statements/CVE-2019-14379/statement.yaml b/statements/CVE-2019-14379/statement.yaml
@@ -1,6 +1,11 @@
 vulnerability_id: CVE-2019-14379
 notes:
 - text: SubTypeValidator.java in FasterXML jackson-databind before 2.9.9.2 mishandles default typing when ehcache is used (because of net.sf.ehcache.transaction.manager.DefaultTransactionManagerLookup), leading to remote code execution.
+fixes:
+- id: DEFAULT_BRANCH
+  commits:
+  - id: ad418eeb974e357f2797aef64aa0e3ffaaa6125b
+    repository: https://github.com/FasterXML/jackson-databind
 artifacts:
 - id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.7.0
   reason: Reviewed manually
diff --git a/statements/CVE-2019-14439/statement.yaml b/statements/CVE-2019-14439/statement.yaml
@@ -1,6 +1,11 @@
 vulnerability_id: CVE-2019-14439
 notes:
 - text: A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9.2. This occurs when Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the logback jar in the classpath.
+fixes:
+- id: DEFAULT_BRANCH
+  commits:
+  - id: ad418eeb974e357f2797aef64aa0e3ffaaa6125b
+    repository: https://github.com/FasterXML/jackson-databind
 artifacts:
 - id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.7.0
   reason: Reviewed manually
diff --git a/statements/CVE-2019-14892/statement.yaml b/statements/CVE-2019-14892/statement.yaml
@@ -1,6 +1,15 @@
 vulnerability_id: CVE-2019-14892
 notes:
 - text: A flaw was discovered in jackson-databind in versions before 2.9.10, 2.8.11.5 and 2.6.7.3, where it would permit polymorphic deserialization of a malicious object using commons-configuration 1 and 2 JNDI classes. An attacker could use this flaw to execute arbitrary code.
+fixes:
+- id: DEFAULT_BRANCH
+  commits:
+  - id: 41b7f9b90149e9d44a65a8261a8deedc7186f6af
+    repository: https://github.com/FasterXML/jackson-databind
+  - id: 819cdbcab51c6da9fb896380f2d46e9b7d4fdc3b
+    repository: https://github.com/FasterXML/jackson-databind
+  - id: 335db543d45f21ffd0ecf3df8da52eb501a0f087
+    repository: https://github.com/FasterXML/jackson-databind
 artifacts:
 - id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.8.11
   reason: Reviewed manually
diff --git a/statements/CVE-2019-14893/statement.yaml b/statements/CVE-2019-14893/statement.yaml
@@ -1,6 +1,11 @@
 vulnerability_id: CVE-2019-14893
 notes:
 - text: A flaw was discovered in FasterXML jackson-databind in all versions before 2.9.10 and 2.10.0, where it would permit polymorphic deserialization of malicious objects using the xalan JNDI gadget when used in conjunction with polymorphic type handling methods such as `enableDefaultTyping()` or when @JsonTypeInfo is using `Id.CLASS` or `Id.MINIMAL_CLASS` or in any other way which ObjectMapper.readValue might instantiate objects from unsafe sources. An attacker could use this flaw to execute arbitrary code.
+fixes:
+- id: DEFAULT_BRANCH
+  commits:
+  - id: 998efd708284778f29d83d7962a9bd935c228317
+    repository: https://github.com/FasterXML/jackson-databind
 artifacts:
 - id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.8.11
   reason: Reviewed manually
diff --git a/statements/CVE-2019-16942/statement.yaml b/statements/CVE-2019-16942/statement.yaml
@@ -1,6 +1,15 @@
 vulnerability_id: CVE-2019-16942
 notes:
 - text: A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the commons-dbcp (1.4) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of org.apache.commons.dbcp.datasources.SharedPoolDataSource and org.apache.commons.dbcp.datasources.PerUserPoolDataSource mishandling.
+fixes:
+- id: DEFAULT_BRANCH
+  commits:
+  - id: 9593e16cf5a3d289a9c584f7123639655de9ddac
+    repository: https://github.com/FasterXML/jackson-databind
+  - id: 328a0f833daf6baa443ac3b37c818a0204714b0b
+    repository: https://github.com/FasterXML/jackson-databind
+  - id: 54aa38d87dcffa5ccc23e64922e9536c82c1b9c8
+    repository: https://github.com/FasterXML/jackson-databind
 artifacts:
 - id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.1.1
   reason: Reviewed manually
diff --git a/statements/CVE-2019-16943/statement.yaml b/statements/CVE-2019-16943/statement.yaml
@@ -1,6 +1,15 @@
 vulnerability_id: CVE-2019-16943
 notes:
 - text: A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the p6spy (3.8.6) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of com.p6spy.engine.spy.P6DataSource mishandling.
+fixes:
+- id: DEFAULT_BRANCH
+  commits:
+  - id: 9593e16cf5a3d289a9c584f7123639655de9ddac
+    repository: https://github.com/FasterXML/jackson-databind
+  - id: 328a0f833daf6baa443ac3b37c818a0204714b0b
+    repository: https://github.com/FasterXML/jackson-databind
+  - id: 54aa38d87dcffa5ccc23e64922e9536c82c1b9c8
+    repository: https://github.com/FasterXML/jackson-databind
 artifacts:
 - id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.1.1
   reason: Reviewed manually
diff --git a/statements/CVE-2019-17267/statement.yaml b/statements/CVE-2019-17267/statement.yaml
@@ -1,6 +1,11 @@
 vulnerability_id: CVE-2019-17267
 notes:
 - text: A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup.
+fixes:
+- id: DEFAULT_BRANCH
+  commits:
+  - id: 191a4cdf87b56d2ddddb77edd895ee756b7f75eb
+    repository: https://github.com/FasterXML/jackson-databind
 artifacts:
 - id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.1.1
   reason: Reviewed manually
diff --git a/statements/CVE-2019-17531/statement.yaml b/statements/CVE-2019-17531/statement.yaml
@@ -1,6 +1,11 @@
 vulnerability_id: CVE-2019-17531
 notes:
 - text: A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the apache-log4j-extra (version 1.2.x) jar in the classpath, and an attacker can provide a JNDI service to access, it is possible to make the service execute a malicious payload.
+fixes:
+- id: DEFAULT_BRANCH
+  commits:
+  - id: b5a304a98590b6bb766134f9261e6566dcbbb6d0
+    repository: https://github.com/FasterXML/jackson-databind
 artifacts:
 - id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.1.1
   reason: Reviewed manually
diff --git a/statements/CVE-2019-20330/statement.yaml b/statements/CVE-2019-20330/statement.yaml
@@ -1,6 +1,11 @@
 vulnerability_id: CVE-2019-20330
 notes:
 - text: FasterXML jackson-databind 2.x before 2.9.10.2 lacks certain net.sf.ehcache blocking.
+fixes:
+- id: DEFAULT_BRANCH
+  commits:
+  - id: fc4214a883dc087070f25da738ef0d49c2f3387e
+    repository: https://github.com/FasterXML/jackson-databind
 artifacts:
 - id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.1.1
   reason: Reviewed manually
diff --git a/statements/CVE-2020-10650/statement.yaml b/statements/CVE-2020-10650/statement.yaml
@@ -1,6 +1,11 @@
 vulnerability_id: CVE-2020-10650
 notes:
 - text: ""
+fixes:
+- id: DEFAULT_BRANCH
+  commits:
+  - id: a424c038ba0c0d65e579e22001dec925902ac0ef
+    repository: https://github.com/FasterXML/jackson-databind
 artifacts:
 - id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.7.0
   reason: Reviewed manually
diff --git a/statements/CVE-2020-10672/statement.yaml b/statements/CVE-2020-10672/statement.yaml
@@ -1,6 +1,11 @@
 vulnerability_id: CVE-2020-10672
 notes:
 - text: FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.aries.transaction.jms.internal.XaPooledConnectionFactory (aka aries.transaction.jms).
+fixes:
+- id: DEFAULT_BRANCH
+  commits:
+  - id: 592872f4235c7f2a3280725278da55544032f72d
+    repository: https://github.com/FasterXML/jackson-databind
 artifacts:
 - id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.7.0
   reason: Reviewed manually
diff --git a/statements/CVE-2020-10968/statement.yaml b/statements/CVE-2020-10968/statement.yaml
@@ -1,6 +1,11 @@
 vulnerability_id: CVE-2020-10968
 notes:
 - text: FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.aoju.bus.proxy.provider.remoting.RmiProvider (aka bus-proxy).
+fixes:
+- id: DEFAULT_BRANCH
+  commits:
+  - id: 05d7e0e13f43e12db6a51726df12c8b4d8040676
+    repository: https://github.com/FasterXML/jackson-databind
 artifacts:
 - id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.7.0
   reason: Reviewed manually
diff --git a/statements/CVE-2020-10969/statement.yaml b/statements/CVE-2020-10969/statement.yaml
@@ -1,6 +1,11 @@
 vulnerability_id: CVE-2020-10969
 notes:
 - text: FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to javax.swing.JEditorPane.
+fixes:
+- id: DEFAULT_BRANCH
+  commits:
+  - id: 4d038c9de0aa80a5dae27f552a975cb39cc42b60
+    repository: https://github.com/FasterXML/jackson-databind
 artifacts:
 - id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.7.0
   reason: Reviewed manually
diff --git a/statements/CVE-2020-11111/statement.yaml b/statements/CVE-2020-11111/statement.yaml
@@ -1,6 +1,11 @@
 vulnerability_id: CVE-2020-11111
 notes:
 - text: FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.activemq.* (aka activemq-jms, activemq-core, activemq-pool, and activemq-pool-jms).
+fixes:
+- id: DEFAULT_BRANCH
+  commits:
+  - id: 05d7e0e13f43e12db6a51726df12c8b4d8040676
+    repository: https://github.com/FasterXML/jackson-databind
 artifacts:
 - id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.7.0
   reason: Reviewed manually
diff --git a/statements/CVE-2020-11112/statement.yaml b/statements/CVE-2020-11112/statement.yaml
@@ -1,6 +1,11 @@
 vulnerability_id: CVE-2020-11112
 notes:
 - text: FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.proxy.provider.remoting.RmiProvider (aka apache/commons-proxy).
+fixes:
+- id: DEFAULT_BRANCH
+  commits:
+  - id: 05d7e0e13f43e12db6a51726df12c8b4d8040676
+    repository: https://github.com/FasterXML/jackson-databind
 artifacts:
 - id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.7.0
   reason: Reviewed manually
diff --git a/statements/CVE-2020-11113/statement.yaml b/statements/CVE-2020-11113/statement.yaml
@@ -1,6 +1,11 @@
 vulnerability_id: CVE-2020-11113
 notes:
 - text: FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.openjpa.ee.WASRegistryManagedRuntime (aka openjpa).
+fixes:
+- id: DEFAULT_BRANCH
+  commits:
+  - id: e2ba12d5d60715d95105e3e790fc234cfb59893d
+    repository: https://github.com/FasterXML/jackson-databind
 artifacts:
 - id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.7.0
   reason: Reviewed manually
diff --git a/statements/CVE-2020-11619/statement.yaml b/statements/CVE-2020-11619/statement.yaml
@@ -1,6 +1,11 @@
 vulnerability_id: CVE-2020-11619
 notes:
 - text: FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.springframework.aop.config.MethodLocatingFactoryBean (aka spring-aop).
+fixes:
+- id: DEFAULT_BRANCH
+  commits:
+  - id: 113e89fb08b1b6b072d60b3e4737ed407c13db9a
+    repository: https://github.com/FasterXML/jackson-databind
 artifacts:
 - id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.1
   reason: Reviewed manually
diff --git a/statements/CVE-2020-11620/statement.yaml b/statements/CVE-2020-11620/statement.yaml
@@ -1,6 +1,11 @@
 vulnerability_id: CVE-2020-11620
 notes:
 - text: FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.jelly.impl.Embedded (aka commons-jelly).
+fixes:
+- id: DEFAULT_BRANCH
+  commits:
+  - id: 77040d85e3eb6710508e6445640ae1a3d5e60c22
+    repository: https://github.com/FasterXML/jackson-databind
 artifacts:
 - id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.1
   reason: Reviewed manually
diff --git a/statements/CVE-2020-14060/statement.yaml b/statements/CVE-2020-14060/statement.yaml
@@ -1,6 +1,11 @@
 vulnerability_id: CVE-2020-14060
 notes:
 - text: FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.xalan.lib.sql.JNDIConnectionPool (aka apache/drill).
+fixes:
+- id: DEFAULT_BRANCH
+  commits:
+  - id: d1c67a0396e84c08d0558fbb843b5bd1f26e1921
+    repository: https://github.com/FasterXML/jackson-databind
 artifacts:
 - id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.10.0.pr3
   reason: Reviewed manually
diff --git a/statements/CVE-2020-14061/statement.yaml b/statements/CVE-2020-14061/statement.yaml
@@ -1,6 +1,11 @@
 vulnerability_id: CVE-2020-14061
 notes:
 - text: FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oracle.jms.AQjmsQueueConnectionFactory, oracle.jms.AQjmsXATopicConnectionFactory, oracle.jms.AQjmsTopicConnectionFactory, oracle.jms.AQjmsXAQueueConnectionFactory, and oracle.jms.AQjmsXAConnectionFactory (aka weblogic/oracle-aqjms).
+fixes:
+- id: DEFAULT_BRANCH
+  commits:
+  - id: 5c8642aeae9c756b438ab7637c90ef3c77966e6e
+    repository: https://github.com/FasterXML/jackson-databind
 artifacts:
 - id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.10.0.pr3
   reason: Reviewed manually
diff --git a/statements/CVE-2020-14062/statement.yaml b/statements/CVE-2020-14062/statement.yaml
@@ -1,6 +1,11 @@
 vulnerability_id: CVE-2020-14062
 notes:
 - text: FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to com.sun.org.apache.xalan.internal.lib.sql.JNDIConnectionPool (aka xalan2).
+fixes:
+- id: DEFAULT_BRANCH
+  commits:
+  - id: 840eae2ca81c597a0010b2126f32dce17d384b70
+    repository: https://github.com/FasterXML/jackson-databind
 artifacts:
 - id: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.10.0.pr3
   reason: Reviewed manually
diff --git a/statements/CVE-2020-14195/statement.yaml b/statements/CVE-2020-14195/statement.yaml
diff --git a/statements/CVE-2020-24616/statement.yaml b/statements/CVE-2020-24616/statement.yaml
diff --git a/statements/CVE-2020-24750/statement.yaml b/statements/CVE-2020-24750/statement.yaml
diff --git a/statements/CVE-2020-8840/statement.yaml b/statements/CVE-2020-8840/statement.yaml
diff --git a/statements/CVE-2020-9546/statement.yaml b/statements/CVE-2020-9546/statement.yaml
diff --git a/statements/CVE-2020-9547/statement.yaml b/statements/CVE-2020-9547/statement.yaml
diff --git a/statements/CVE-2020-9548/statement.yaml b/statements/CVE-2020-9548/statement.yaml
