Security - CVE-2017-17485 & CVE-2018-5968 on Jackson dependency

Question

Security - CVE-2017-17485 & CVE-2018-5968 on Jackson dependency

cdanger opened this issue 7 years ago · 3 comments

Hello,
running owasp dependendency-check on a project using jongo will cause the error below because jongo uses a version of jackon-databind affected by CVE-2017-17485 & CVE-2018-5968.

[ERROR] Failed to execute goal org.owasp:dependency-check-maven:3.0.2:check (default) on project authzforce-ce-core-pdp-testutils: 
[ERROR] 
[ERROR] One or more dependencies were identified with vulnerabilities: 
[ERROR] 
[ERROR] jackson-databind-2.7.3.jar: CVE-2017-17485, CVE-2018-5968

Answer 1 · 2018-02-16T14:02:00.000Z

see the mentioned pull request for the fix

Answer 2 · 2018-03-04T22:48:22.000Z

Hello, I can see that the fixing PR #326 is now merged and planned to be part of milestone 1.4.0, but there are still a few open issues planned as well, blocking the release. Could you to do a hotfix release in the meantime (to have this security fix part of the release)? Thank you.

Answer 3 · 2018-04-30T08:22:34.000Z

Hello 1.3.1 and 1.4.0 have been released.

1.3.1: Jackson fixAcces(true) and Jackson update to 2.7.9
1.4.0: Jackson and bson4jackson updated to 2.9.x and enhancement of Jongo classes extensibility

You can find more informations here: https://github.com/bguerout/jongo/releases