CVE-2022-42004, CVE-2022-42003 with jackson-databind

Question

CVE-2022-42004, CVE-2022-42003 with jackson-databind

zhudaxi opened this issue 2 years ago · 2 comments

delta-standalone now has jackson-databind 2.12.3 version shaded, which has security vulnerability CVE-2022-42004(High) and CVE-2022-42003 (High).

Version 2.14.0-rc1 has the security fix.

Answer 1 · 2022-10-12T05:12:18.000Z

These CVEs don't affect Delta Standalone as we don't use jackson to parse any user inputs directly. But it's still good to upgrade to a latest jackson version.

Answer 2 · 2023-07-11T17:56:27.000Z

This repo has been deprecated and the code is moved under connectors module in https://github.com/delta-io/delta repository. Please create the issue in repository https://github.com/delta-io/delta. See #556 for details.