Skip to content

Using a component with known vulnerability - jackson-databind 2.8.11.1 #504

New issue
New issue
Closed
#505
Closed
Using a component with known vulnerability - jackson-databind 2.8.11.1#504
#505
Assignees
komamitsu
@dimitarndimitrov

Description

@dimitarndimitrov
dimitarndimitrov
opened on Jun 15, 2019

Similar to #463, the latest msgpack-java (version 0.8.16) still uses jackson-databind (version 2.8.11.1) that has security vulnerabilities.
See https://www.sourceclear.com/vulnerability-database/security/deserialisation-of-untrusted-data/java/sid-8093.

  • The earliest recommended version to upgrade to is 2.9.9, as the whole 2.8.x range is affected by this or other issues.

P.S. Unfortunately this specific vulnerability is due to an incomplete fix of the same CVE that caused #463, so @komamitsu is spot on when saying

It's like whack-a-mole...

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions