Several critical vulnerabilities in connector-x dependencies
jplauri opened this issue · 2 comments
jplauri commented
Describe your feature request
It seems that connector-x has several critical and high severity vulnerabilities open, stemming from e.g., com.fasterxml.jackson.core:jackson-databind, org.yaml:snakeyaml, and others. See below for a full listing of critical vulnerabilities, but note that there are others too.
I think it would be great not only to have these patched but also update the CI process to scan for vulnerabilities. As it stands, these vulnerabilities completely prevent the use of connector-x in certain organizations.
SEVERITY | IMPACTED PACKAGE | IMPACTED PACKAGE VERSION | TYPE | FIXED VERSIONS | COMPONENT | COMPONENT VERSION | CVE |
---|---|---|---|---|---|---|---|
Critical | com.fasterxml.jackson.core:jackson-databind | 2.10.0 | Maven | [2.10.1] | connectorx | 0.3.2 | CVE-2019-16942 |
[2.6.7.3] | |||||||
[2.7.9.7] | |||||||
[2.8.11.5] | |||||||
[2.9.10.1] | |||||||
---------- | com.fasterxml.jackson.core:jackson-databind | 2.10.0.pr1 | Maven | [2.10.1] | connectorx | 0.3.2 | CVE-2019-16942 |
[2.6.7.3] | |||||||
[2.7.9.7] | |||||||
[2.8.11.5] | |||||||
[2.9.10.1] | |||||||
---------- | com.fasterxml.jackson.core:jackson-databind | 2.10.0.pr1 | Maven | [2.10.1] | connectorx | 0.3.2 | CVE-2019-16942 |
[2.6.7.3] | |||||||
[2.7.9.7] | |||||||
[2.8.11.5] | |||||||
[2.9.10.1] | |||||||
---------- | com.fasterxml.jackson.core:jackson-databind | 2.10.0 | Maven | [2.10.1] | connectorx | 0.3.2 | CVE-2019-16942 |
[2.6.7.3] | |||||||
[2.7.9.7] | |||||||
[2.8.11.5] | |||||||
[2.9.10.1] | |||||||
---------- | org.yaml:snakeyaml | 1.24 | Maven | [2.0] | connectorx | 0.3.2 | CVE-2022-1471 |
---------- | com.fasterxml.jackson.core:jackson-databind | 2.10.0.pr1 | Maven | [2.10.1] | connectorx | 0.3.2 | CVE-2019-16942 |
[2.6.7.3] | |||||||
[2.7.9.7] | |||||||
[2.8.11.5] | |||||||
[2.9.10.1] | |||||||
---------- | com.fasterxml.jackson.core:jackson-databind | 2.10.0.pr1 | Maven | [2.10.1] | connectorx | 0.3.2 | CVE-2019-16942 |
[2.6.7.3] | |||||||
[2.7.9.7] | |||||||
[2.8.11.5] | |||||||
[2.9.10.1] | |||||||
---------- | com.fasterxml.jackson.core:jackson-databind | 2.10.0 | Maven | [2.10.1] | connectorx | 0.3.2 | CVE-2019-16942 |
[2.6.7.3] | |||||||
[2.7.9.7] | |||||||
[2.8.11.5] | |||||||
[2.9.10.1] | |||||||
---------- | org.yaml:snakeyaml | 1.24 | Maven | [2.0] | connectorx | 0.3.2 | CVE-2022-1471 |
---------- | org.yaml:snakeyaml | 1.24 | Maven | [2.0] | connectorx | 0.3.2 | CVE-2022-1471 |
---------- | com.fasterxml.jackson.core:jackson-databind | 2.10.0.pr1 | Maven | [2.10.1] | connectorx | 0.3.2 | CVE-2019-16942 |
[2.6.7.3] | |||||||
[2.7.9.7] | |||||||
[2.8.11.5] | |||||||
[2.9.10.1] | |||||||
---------- | com.fasterxml.jackson.core:jackson-databind | 2.10.0 | Maven | [2.10.1] | connectorx | 0.3.2 | CVE-2019-16942 |
DeflateAwning commented
Is the solution just to bump the dependencies to later versions?
jplauri commented
I don't know. If it is, there should be automation to bump them in the future too.