Details
-
Bug
-
Status: Resolved
-
Critical
-
Resolution: Fixed
-
7.1.1, 8.0.0-M3
-
None
Description
TomEE 7.1.1 depends on jackson-databind 2.9.6
TomEE 8.0.0-M3 ships an even older version 2.9.4.
All jackson versions up to 2.9.9.1 are vulnerable. Vulnerabilities in this component are hard to mitigate, because it is likly that it parses network data.
This issue currently blocks my company from using TomEE out of the box.