[TIKA-2964] Upgrade Jackson Databind dependency to 2.9.10.1 or 2.10.0 to fix latest CVEs - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: 1.23
Fix Version/s: 1.24
Component/s: parser
Labels:
None

Description

When compiling the latest version of the source code, following error is reported:

[ERROR] Failed to execute goal org.sonatype.ossindex.maven:ossindex-maven-plugin:3.0.4:audit (audit-dependencies) on project tika-parsers: Detected 1 vulnerable components:
[ERROR]   com.fasterxml.jackson.core:jackson-databind:jar:2.9.10:compile; https://ossindex.sonatype.org/component/pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.10
[ERROR]     * [CVE-2019-16943] A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 th... (0.0); https://ossindex.sonatype.org/vuln/f4f0c103-c9d9-4308-bd8f-489f2a632680
[ERROR]     * [CVE-2019-16942] A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 th... (0.0); https://ossindex.sonatype.org/vuln/07632245-fcef-4eb3-82b6-aadbbfd2b33e

We need to bump version after the 2.9.10.1 is released or consider switching to 2.10 that isn't vulnerable...

Attachments

Issue Links

links to

GitHub Pull Request #287

Activity

People

Assignee:: Unassigned

Reporter:: Alex Ott

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 13/Oct/19 08:59

Updated:: 21/Apr/20 19:24

Resolved:: 21/Apr/20 19:24