Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Collect Server War uses highly vulnerable version of Jackson Databind #1199

Closed
mccartnl opened this issue Jan 29, 2024 · 5 comments
Closed

Comments

@mccartnl
Copy link

mccartnl commented Jan 29, 2024

Jackson Databind needs to be upgraded.

JavaMelody war uses a highly vulnerable version of the Jackson Databind library (version 2.6.6).

This issue exists for the latest available version of JavaMelody Collect Server (version 1.95.0).

Jackson Databind version 2.6.6 has a total of 51 vulnerabilities, 19 of which have a CVSS 3 score of 9.8 CRITICAL !!!

CVE-2020-9548
CVE-2020-9547
CVE-2020-8840
CVE-2019-20330
CVE-2019-17531
CVE-2019-17267
CVE-2019-16943
CVE-2019-16942
CVE-2019-16335
CVE-2019-14892
CVE-2019-14540
CVE-2019-14379
CVE-2018-7489
CVE-2018-14719
CVE-2018-14718
CVE-2018-11307
CVE-2017-7525
CVE-2017-17485
CVE-2017-15095
The complete list of CVEs for Jackson Databind version 2.6.6 can be found here:

https://mvnrepository.com/artifact/com.fasterxml.jackson.core/jackson-databind/2.6.6

@evernat evernat changed the title JavaMelody War uses highly vulnerable version of Jackson Databind Collect Server War uses highly vulnerable version of Jackson Databind Jan 30, 2024
@evernat
Copy link
Member

evernat commented Jan 30, 2024

It does not concern the javamelody-core used by most.
It concerns only the collect server and this jackson-databind dependency is used only when the heap-dump-s3-bucketname or cloudwatch-namespace parameters are set in the collect server.

@mccartnl
Copy link
Author

mccartnl commented Jan 30, 2024

Will this be fixed in the next release? This vulnerability shows up on the security scans of the JavaMelody collection servers even if we are not using this setting.

@evernat
Copy link
Member

evernat commented Jan 31, 2024

yes, it will be

@mccartnl
Copy link
Author

Thank you. When will the next release be available?

@evernat
Copy link
Member

evernat commented Feb 11, 2024

fixed by 8e82601, to be released in collector server 1.96.0 very soon.

@evernat evernat closed this as completed Feb 11, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants