Vulnerabilities in jackson-databind 2.9.10.6
Philzen opened this issue · 1 comments
See https://mvnrepository.com/artifact/com.fasterxml.jackson.core/jackson-databind
The in v0.2.2 the dependency tree includes jackson-databind 2.9.10.6:
$ mvn dependency:tree -Dincludes=com.fasterxml.jackson.core
[INFO] \- org.openapitools:jackson-databind-nullable:jar:0.2.2:compile
[INFO] \- com.fasterxml.jackson.core:jackson-databind:jar:2.9.10.6:compile
[INFO] \- com.fasterxml.jackson.core:jackson-core:jar:2.9.10:compileThis currently has over a dozen known vulnerabilities, some of which are listed with high severity – mvnrepository lists 15, the owasp dependency scanner 16:
Just tested with fixing the dependency to v2.9.10.8, which seems to be fine (owasp dependency scanner does not report it anymore).
So the obvious recommendation is to upgrade.
My bad... i have a transitive dependency in spring boot that nails it to that version 🤦
Of course i now see that this project has 2.12.2 in its pom.xml, which is not vulnerable.
Rahhh, maven dependency hell ... apologies for the noise.