You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In Spring Boot 2.5.10, spring-boot-starter-json depends on jackson-databind version 2.12.6. Dependency-Check7.0.0 will flag this with a high CVSS score - CVE-2020-36518.
[ERROR] Failed to execute goal org.owasp:dependency-check-maven:7.0.0:check (default) on project jackson-demo:
[ERROR]
[ERROR] One or more dependencies were identified with vulnerabilities that have a CVSS score greater than or equal to '7.0':
[ERROR]
[ERROR] jackson-databind-2.12.6.jar: CVE-2020-36518(7.5)
This issue does not affect Spring Boot 2.6.4 and I do understand that it is advisable to upgrade ASAP to that version. But since the 2.5.x branch is still supported, I wanted to raises this issue for completeness.
We won’t upgrade to a new minor version of a dependency in a maintenance release of Spring Boot. You can either upgrade to Spring Boot 2.6.x or stick with 2.5.x and use the jackson.version property to opt in to the upgrade.
@alexsheppard11 there is no need to ask. As mentioned on several occasions, we have a semi-automated upgrade process that will upgrade dependencies to whatever match our 3rd party upgrade policy. And there is no need to wait for us releasing as you can use the jackson.version as described above already.
In Spring Boot
2.5.10
,spring-boot-starter-json
depends onjackson-databind
version2.12.6
. Dependency-Check7.0.0
will flag this with a high CVSS score - CVE-2020-36518.Related issue: FasterXML/jackson-databind#2816
This issue does not affect Spring Boot
2.6.4
and I do understand that it is advisable to upgrade ASAP to that version. But since the2.5.x
branch is still supported, I wanted to raises this issue for completeness.Demo project to reproduce the issue: https://github.com/ghillert/boot-jackson-cve/tree/main
The text was updated successfully, but these errors were encountered: