FusionAuth/fusionauth-jwt

io.fusionauth:fusionauth-jwt:4.0.1 has security vulnerabilities

rvillane opened this issue 4 years ago · 4 comments

rvillane commented 4 years ago

io.fusionauth:fusionauth-jwt:4.0.1 uses:

    <dependency>
      <groupId>com.fasterxml.jackson.core</groupId>
      <artifactId>jackson-databind</artifactId>
      <version>2.10.3</version>
    </dependency>

but this dependency has several security vulnerabilities:

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-14060
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-14061
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-14062
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-14195
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-24616
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-24750

Version 2.12.1 is now available: https://mvnrepository.com/artifact/com.fasterxml.jackson.core/jackson-databind/2.12.1 and it includes the fixes.

robotdan commented 4 years ago

Ugh.. hard to keep up with Jackson vulnerabilities. :-) Thanks for the heads up.

rvillane commented 4 years ago

@robotdan I hear you, is a nightmare. Thanks for the quick fix.

🎉1

rvillane commented 4 years ago

@robotdan any idea when v4.1.0 will become available in Maven repository ?

robotdan commented 4 years ago

Oops, did not release to maven yet. Done. Thanks for the reminder. (may take an hour or two for it to show up in the maven repos)