Recent GHSAs from Jackson are not available in global GHSA database

[beth-soptim]

Hi,

is there any special reason why the recent security issues in Jackson only have GHSAs inside the Jackson project [1] but not in the "global" GHSA database [2]?

Thus, many vulnerability scanners will not detect these issues.

[1] https://github.com/FasterXML/jackson-databind/security/advisories
[2] https://github.com/github/advisory-database

[pjfanning]

@beth-soptim You'll have to ask GitHub.

[beth-soptim]

So GitHub should add that to the database on its own, but for some unknown reason, that hasn't happened yet?

[pjfanning]

• we submitted these to GHSA team and after that, we have no control - the step is called 'Publish Advisory'
• I have no idea why GHSA team have not published the CVEs yet despite allocating CVE ids and why they are not in https://github.com/github/advisory-database because I do not work for GitHub

[cowtowncoder]

Once CVEs publish (which I understand should be done by Github), we should be good?

[beth-soptim]

Finally they are now available in the GHSA database: