Collect Server War uses highly vulnerable version of Jackson Databind #1199
Comments
evernat
changed the title
|
It does not concern the javamelody-core used by most. |
|
Will this be fixed in the next release? This vulnerability shows up on the security scans of the JavaMelody collection servers even if we are not using this setting. |
|
yes, it will be |
|
Thank you. When will the next release be available? |
evernat
added a commit
that referenced
this issue
Feb 6, 2024
|
fixed by 8e82601, to be released in collector server 1.96.0 very soon. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Jackson Databind needs to be upgraded.
JavaMelody war uses a highly vulnerable version of the Jackson Databind library (version 2.6.6).
This issue exists for the latest available version of JavaMelody Collect Server (version 1.95.0).
Jackson Databind version 2.6.6 has a total of 51 vulnerabilities, 19 of which have a CVSS 3 score of 9.8 CRITICAL !!!
CVE-2020-9548
CVE-2020-9547
CVE-2020-8840
CVE-2019-20330
CVE-2019-17531
CVE-2019-17267
CVE-2019-16943
CVE-2019-16942
CVE-2019-16335
CVE-2019-14892
CVE-2019-14540
CVE-2019-14379
CVE-2018-7489
CVE-2018-14719
CVE-2018-14718
CVE-2018-11307
CVE-2017-7525
CVE-2017-17485
CVE-2017-15095
The complete list of CVEs for Jackson Databind version 2.6.6 can be found here:
https://mvnrepository.com/artifact/com.fasterxml.jackson.core/jackson-databind/2.6.6
The text was updated successfully, but these errors were encountered: