Skip to content

Adding Jackso BOM to core to ensure jackson version inheritance.

Daniel Scholl requested to merge jackson-vulnerabilities into master

Fix: Resolve vulnerabilities in jackson-databind

This PR addresses high-severity vulnerabilities identified in the jackson-databind library. Below is the list of vulnerabilities that have been resolved:

Resolved Vulnerabilities:

  1. com.fasterxml.jackson.core:jackson-databind
    • Vulnerability: CVE-2020-36518

      • Severity: High
      • Issue: Denial of Service via a large depth of nested objects.
      • Resolution: Upgraded from 2.11.3 to 2.13.2.1.
    • Vulnerability: CVE-2021-46877

      • Severity: High
      • Issue: Possible Denial of Service if using JDK serialization to serialize JsonNode.
      • Resolution: Upgraded from 2.11.3 to 2.13.1.
    • Vulnerability: CVE-2022-42003

      • Severity: High
      • Issue: Vulnerability with deep wrapper array nesting related to UNWRAP_SINGLE_VALUE_ARRAYS.
      • Resolution: Upgraded from 2.11.3 to 2.13.4.2.
    • Vulnerability: CVE-2022-42004

      • Severity: High
      • Issue: Use of deeply nested arrays can lead to potential issues.
      • Resolution: Upgraded from 2.11.3 to 2.13.4.

By upgrading to a secure version of jackson-databind, this PR ensures enhanced security and mitigates the risks associated with these vulnerabilities. Please review and approve.

Merge request reports

Loading