Latest delta-standalone verion 0.3.0 has security risk CWE611
zhudaxi opened this issue · 4 comments
In latest delta-standalone version 0.3.0 jar, shadedelta/com/fasterxml/jackson/databind/ext/DOMSerializer is risky for CWE611.
This maybe due to version jackson-databind-2.10.0 has CVE-2020-25649. If upgrade to latest version this issue might be fixed.
@zhudaxi Thanks for reporting this. Since Delta Standalone doesn't use Jackson to process XML, it should not be affected. Please let us know if we misunderstand the CVE.
Thanks! I'm going to close this as it doesn't affect Delta Standalone.
@zsxwing Can we open this issue so that once this jackson-databind side issue is fixed, delta-standalone project can do upgrade to adopt the fix?
Also, jackson-databind has another security issue CVE-2020-36518, do you want to upgrade the version for delta-standalone?