-
Notifications
You must be signed in to change notification settings - Fork 40.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Spring Boot 2.6.5 fails OWASP Check due to CVE-2020-36518 #30451
Comments
We'll upgrade to the new Jackson release as part of a semi-automated process. In the meantime you are, as ever, free to override the version of Jackson used in your application. |
Hi @wilkinsona I tried to override Jackson like you suggested but I'm getting an error on Gradle. I created a really simple Gradle project using Spring Initialzr (you can check it here) and only added the following line to
This version contains the fix for the aforementioned CVE. When building the project, I get the following error:
Am I overriding the property incorrectly? Overriding this property on a Maven project works as intended. |
Unfortunately, there's a bug in the Gradle module metadata for jackson-databind:2.13.2.1. It sounds like a fix is on the way. In the meantime there are a couple of workarounds in that issue too. |
Thank you so much @wilkinsona 👍🏻 |
Originally CVE-2020-36518 only affected Spring
2.5.10
but the CVE was recently updated and now includes Jackson Databind2.13.2
, also, which means that the very latest Spring Boot version2.6.5
is affected as well.The CVE was fixed with Jackson Databind version
2.13.2.1
.2.5.10
issue: Consider updating Jackson dependency for Boot 2.5.10 due to CVE-2020-36518 #30354The text was updated successfully, but these errors were encountered: