Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update jackson-databind dependency in the main POM file to fix CVE-2020-36518 #11188

Closed
abstractj opened this issue Apr 8, 2022 · 1 comment · Fixed by #11190
Closed

Update jackson-databind dependency in the main POM file to fix CVE-2020-36518 #11188

abstractj opened this issue Apr 8, 2022 · 1 comment · Fixed by #11190
Assignees
@abstractj
Labels
area/dependencies kind/cve Issues identified as CVEs on third-party dependencies, or issues which Keycloak is not affected
Milestone
18.0.0

Comments

@abstractj
Copy link
Contributor

abstractj commented Apr 8, 2022
edited
Loading

Describe the bug

The dependency of Jackson Databind used by the Quarkus distribution is impacted by https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36518. The simple fix is to upgrade.

It wasn't updated before on #11071 due to concerns about breaking changes, but I noticed that 2.12.6.1 also contains patches for this CVE.

More details

GitHub Commit
GitHub Issue
GitHub PR

Version

17.0.1

Expected behavior

No response

Actual behavior

No response

How to Reproduce?

No response

Anything else?

No response

Version

17.0.1

Expected behavior

No response

Actual behavior

No response

How to Reproduce?

No response

Anything else?

No response
@abstractj abstractj added kind/bug Categorizes a PR related to a bug area/dependencies labels Apr 8, 2022
@abstractj abstractj self-assigned this Apr 8, 2022
@abstractj abstractj mentioned this issue Apr 8, 2022
Merged
@andreaTP andreaTP mentioned this issue Apr 12, 2022
Closed
abstractj added a commit that referenced this issue Apr 12, 2022
@abstractj
Update jackson-databind dependency in the main POM file to fix CVE-20…
82fbe6c 
…20-36518

Resolves #11188
@stianst stianst added this to the 18.0.0 milestone Apr 20, 2022
@ahrycej
Copy link

ahrycej commented Nov 30, 2022
edited
Loading

This is still there in keycloak 18, and it is in 20 too, could this be updated? I have quarkus distribution.

@abstractj abstractj added kind/cve Issues identified as CVEs on third-party dependencies, or issues which Keycloak is not affected and removed kind/bug Categorizes a PR related to a bug labels Dec 5, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@abstractj abstractj

Labels
area/dependencies kind/cve Issues identified as CVEs on third-party dependencies, or issues which Keycloak is not affected
Projects
None yet
Milestone
18.0.0
Development

Successfully merging a pull request may close this issue.

Update jackson-databind dependency in the main POM file to fix CVE-2020-36518
3 participants
@abstractj @stianst @ahrycej