[IGNITE-13601] Ignite-rest-http and ignite-kubernetes include vulnerable dependencies - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Blocker
Resolution: Fixed
Affects Version/s: 2.8.1
Fix Version/s: None
Component/s: rest
Labels:
- 2.9.1-rc

Ignite Flags:

Docs Required, Release Notes Required

Description

The ignite-rest-http and ignite-kubernetes modules include a vulnerable version of the jackson-databind library. This was spotted in 2.8.1.

This component jackson-databind-2.9.6.jar is flagged as having numerous
critical, high and medium security vulnerabilities, one of which is
described here:
https://nvd.nist.gov/vuln/detail/CVE-2019-14540

More here:

http://apache-ignite-users.70518.x6.nabble.com/Critical-security-vulnerability-for-opt-ignite-apache-ignite-libs-optional-ignite-rest-http-jackson-r-td34032.html

Attachments

Issue Links

is a clone of

IGNITE-13464 Ignite-rest-http modules includes vulnerable dependencies

Resolved

is fixed by

IGNITE-15261 Update Ignite dependency: Jackson

Resolved

links to

GitHub Pull Request #8702

Activity

People

Assignee:: Igor Baryshnikov

Reporter:: Andrew Story

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 20/Oct/20 17:50

Updated:: 21/Dec/21 10:14

Resolved:: 21/Dec/21 10:14

Time Tracking

Estimated:

Not Specified

Remaining:

Logged:

40m