Critical CVE related to com.fasterxml.jackson.core:jackson-databind #15832
Comments
spring-projects-issues
added
the
status: waiting-for-triage
|
Spring Boot 2.1.x's dependency management already uses Jackson 2.9.8. It will override the version that Spring Cloud Connectors uses by default. In short, there's nothing for us to do here. |
wilkinsona
added
status: invalid
|
This issue impacts Spring Boot 1.5.x as well, though I don't know if there's any plan to fix it there. Is it safe to simply update the |
|
AFAIK, Spring Boot 1.5.x should work with Jackson 2.9.8. I'd strongly recommend an upgrade to 2.1.x in the near future though. 1.5.x will reach end of life in August. |
|
Note that the fixes for those CVEs are included in the 2.8.x line of Jackson as well so there should be no need to override the version. If you haven't already seen it, this blog post is recommended reading with regards to Jackson CVEs. Even on a version without the fixes, it's unlikely that your application would be vulnerable. |
Hello,
4 CVEs (CVE-2018-14718, CVE-2018-14719, CVE-2018-14720, CVE-2018-14721) are brought up with the com.fasterxml.jackson.core:jackson-databind version 2.9.5 inlcuded in spring-cloud-cloudfoundry-connector. The corrections were fixed in version 2.9.8. The fix will be added in version 2.0.5 of spring-cloud-connectors.
Can the version be updated in a quick upcoming bug fix?
Thank you
The text was updated successfully, but these errors were encountered: