-
-
Notifications
You must be signed in to change notification settings - Fork 734
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Collect Server War uses highly vulnerable version of Jackson Databind #1199
Comments
It does not concern the javamelody-core used by most. |
Will this be fixed in the next release? This vulnerability shows up on the security scans of the JavaMelody collection servers even if we are not using this setting. |
yes, it will be |
Thank you. When will the next release be available? |
fixed by 8e82601, to be released in collector server 1.96.0 very soon. |
Jackson Databind needs to be upgraded.
JavaMelody war uses a highly vulnerable version of the Jackson Databind library (version 2.6.6).
This issue exists for the latest available version of JavaMelody Collect Server (version 1.95.0).
Jackson Databind version 2.6.6 has a total of 51 vulnerabilities, 19 of which have a CVSS 3 score of 9.8 CRITICAL !!!
CVE-2020-9548
CVE-2020-9547
CVE-2020-8840
CVE-2019-20330
CVE-2019-17531
CVE-2019-17267
CVE-2019-16943
CVE-2019-16942
CVE-2019-16335
CVE-2019-14892
CVE-2019-14540
CVE-2019-14379
CVE-2018-7489
CVE-2018-14719
CVE-2018-14718
CVE-2018-11307
CVE-2017-7525
CVE-2017-17485
CVE-2017-15095
The complete list of CVEs for Jackson Databind version 2.6.6 can be found here:
https://mvnrepository.com/artifact/com.fasterxml.jackson.core/jackson-databind/2.6.6
The text was updated successfully, but these errors were encountered: