[TOMEE-2655] Depends on vulnerable Jackson Version - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Critical
Resolution: Fixed
Affects Version/s: 7.1.1, 8.0.0-M3
Fix Version/s: 7.1.2, 8.0.1
Component/s: None
Labels:

External issue URL:
https://www.cvedetails.com/vulnerability-list/vendor_id-15866/product_id-42991/Fasterxml-Jackson-databind.html

Description

TomEE 7.1.1 depends on jackson-databind 2.9.6

TomEE 8.0.0-M3 ships an even older version 2.9.4.

All jackson versions up to 2.9.9.1 are vulnerable. Vulnerabilities in this component are hard to mitigate, because it is likly that it parses network data.

This issue currently blocks my company from using TomEE out of the box.

Attachments

Issue Links

links to

GitHub Pull Request #548

GitHub Pull Request #549

Activity

People

Assignee:: Richard Zowalla

Reporter:: Robert Schaft

Votes:: 1 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 03/Sep/19 11:59

Updated:: 11/Dec/19 08:10

Resolved:: 11/Dec/19 08:10