sfu-db/connector-x

Several critical vulnerabilities in connector-x dependencies

jplauri opened this issue · 2 comments

Describe your feature request

It seems that connector-x has several critical and high severity vulnerabilities open, stemming from e.g., com.fasterxml.jackson.core:jackson-databind, org.yaml:snakeyaml, and others. See below for a full listing of critical vulnerabilities, but note that there are others too.

I think it would be great not only to have these patched but also update the CI process to scan for vulnerabilities. As it stands, these vulnerabilities completely prevent the use of connector-x in certain organizations.

SEVERITY IMPACTED PACKAGE IMPACTED PACKAGE VERSION TYPE FIXED VERSIONS COMPONENT COMPONENT VERSION CVE
Critical com.fasterxml.jackson.core:jackson-databind 2.10.0 Maven [2.10.1] connectorx 0.3.2 CVE-2019-16942
[2.6.7.3]
[2.7.9.7]
[2.8.11.5]
[2.9.10.1]
---------- com.fasterxml.jackson.core:jackson-databind 2.10.0.pr1 Maven [2.10.1] connectorx 0.3.2 CVE-2019-16942
[2.6.7.3]
[2.7.9.7]
[2.8.11.5]
[2.9.10.1]
---------- com.fasterxml.jackson.core:jackson-databind 2.10.0.pr1 Maven [2.10.1] connectorx 0.3.2 CVE-2019-16942
[2.6.7.3]
[2.7.9.7]
[2.8.11.5]
[2.9.10.1]
---------- com.fasterxml.jackson.core:jackson-databind 2.10.0 Maven [2.10.1] connectorx 0.3.2 CVE-2019-16942
[2.6.7.3]
[2.7.9.7]
[2.8.11.5]
[2.9.10.1]
---------- org.yaml:snakeyaml 1.24 Maven [2.0] connectorx 0.3.2 CVE-2022-1471
---------- com.fasterxml.jackson.core:jackson-databind 2.10.0.pr1 Maven [2.10.1] connectorx 0.3.2 CVE-2019-16942
[2.6.7.3]
[2.7.9.7]
[2.8.11.5]
[2.9.10.1]
---------- com.fasterxml.jackson.core:jackson-databind 2.10.0.pr1 Maven [2.10.1] connectorx 0.3.2 CVE-2019-16942
[2.6.7.3]
[2.7.9.7]
[2.8.11.5]
[2.9.10.1]
---------- com.fasterxml.jackson.core:jackson-databind 2.10.0 Maven [2.10.1] connectorx 0.3.2 CVE-2019-16942
[2.6.7.3]
[2.7.9.7]
[2.8.11.5]
[2.9.10.1]
---------- org.yaml:snakeyaml 1.24 Maven [2.0] connectorx 0.3.2 CVE-2022-1471
---------- org.yaml:snakeyaml 1.24 Maven [2.0] connectorx 0.3.2 CVE-2022-1471
---------- com.fasterxml.jackson.core:jackson-databind 2.10.0.pr1 Maven [2.10.1] connectorx 0.3.2 CVE-2019-16942
[2.6.7.3]
[2.7.9.7]
[2.8.11.5]
[2.9.10.1]
---------- com.fasterxml.jackson.core:jackson-databind 2.10.0 Maven [2.10.1] connectorx 0.3.2 CVE-2019-16942

Is the solution just to bump the dependencies to later versions?

I don't know. If it is, there should be automation to bump them in the future too.