Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

jackson-databind vulnerabilities #2783

Closed
beena-yatin-kanyal opened this issue May 30, 2019 · 5 comments · Fixed by #2826
Closed

jackson-databind vulnerabilities #2783

beena-yatin-kanyal opened this issue May 30, 2019 · 5 comments · Fixed by #2826
Labels
security
Milestone
2.0.0

Comments

@beena-yatin-kanyal
Copy link

The dropwizard core 1.3.9 version (io.dropwizard:dropwizard-core:jar:1.3.9) is using jackson-databind:jar:2.9.8 which is having the vulnerability issue:: CVE-2019-12086. Is there any plan to mitigate this issue? Please suggest!
@serhiypal
Copy link

there is already 1.3.12 with jackson 2.9.9 on board

@serhiypal
Copy link

https://github.com/dropwizard/dropwizard/releases/tag/v1.3.12

@beena-yatin-kanyal
Copy link
Author

Thanks. It has resolved the issue for "jackson-databind-2.9.8" but the vulnerability issue:: CVE-2018-1000840 still exists in dropwizard core 1.3.12 version.

@anthonymonori
Copy link

Can we close this issue or should we use this for all future such instances like right now with https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12814

@pstackle pstackle mentioned this issue Jun 22, 2019
Merged
@pstackle
Copy link
Contributor

jackson-databind already has a fix and is pending a 2.9.9.1 release (FasterXML/jackson-databind#2341)

@joschi joschi added this to the 2.0.0 milestone Jun 25, 2019
@mpbalmeida mpbalmeida mentioned this issue Jul 3, 2019
Merged
mpbalmeida pushed a commit to mpbalmeida/dropwizard that referenced this issue Jul 3, 2019
Upgrade jackson to 2.9.9.1
54a73fa 
Due to a vulnerability in jackson 2.9.9 it is being upgraded to 2.9.9.1

Closes dropwizard#2783
mpbalmeida added a commit to mpbalmeida/dropwizard that referenced this issue Jul 3, 2019
@mpbalmeida
Upgrade jackson to 2.9.9.1
254bb5e 
Due to a vulnerability in jackson 2.9.9 it is being upgraded to 2.9.9.1

Closes dropwizard#2783
mpbalmeida added a commit to mpbalmeida/dropwizard that referenced this issue Jul 3, 2019
@mpbalmeida
Upgrade jackson-databind to 2.9.9.1
92315aa 
Due to a vulnerability in jackson-databind 2.9.9 it is being upgraded to 2.9.9.1

Closes dropwizard#2783
mpbalmeida added a commit to mpbalmeida/dropwizard that referenced this issue Jul 3, 2019
@mpbalmeida
Upgrade jackson-databind to 2.9.9.1
ada659e 
Due to a vulnerability in jackson-databind 2.9.9.1 it is being upgraded to 2.9.9.1

Closes dropwizard#2783
@mpbalmeida mpbalmeida mentioned this issue Jul 3, 2019
Merged
@joschi joschi removed the blocked label Jul 9, 2019
joschi pushed a commit that referenced this issue Jul 9, 2019
@mpbalmeida @joschi
Upgrade jackson-databind to 2.9.9.1 (1.3 releases) (#2825)
bb92ab5 
Due to a vulnerability in jackson 2.9.9 it is being upgraded to 2.9.9.1

Closes #2783
mpbalmeida added a commit to mpbalmeida/dropwizard that referenced this issue Jul 9, 2019
@mpbalmeida
Upgrade jackson-databind to 2.9.9.1
e5f10df 
Due to a vulnerability in jackson-databind 2.9.9.1 it is being upgraded to 2.9.9.1

Closes dropwizard#2783
joschi pushed a commit that referenced this issue Jul 9, 2019
@mpbalmeida @joschi
Upgrade jackson-databind to 2.9.9.1 (#2826)
cfb22a3 
Closes #2783
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
security
Projects
None yet
Milestone
2.0.0
Development

Successfully merging a pull request may close this issue.

Upgrade jackson-databind to 2.9.9.1 mpbalmeida/dropwizard
5 participants
@joschi @anthonymonori @pstackle @serhiypal @beena-yatin-kanyal