Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Vulnerability in Spring dependency 'jackson-core-asl 1.9.13' [SPR-17376] #21909

Closed
spring-projects-issues opened this issue Oct 12, 2018 · 1 comment
Labels
in: core status: invalid

Comments

@spring-projects-issues
Copy link
Collaborator

@spring-projects-issues spring-projects-issues commented Oct 12, 2018

Nick Eckert opened SPR-17376 and commented

Our binary scanner (Protecode SC) revealed vulnerabilities in jackson-core-asl 1.9.13 which is a dependency of jackson-mapper-asl 1.9.13 which is a dependency of org.springframework.security.oauth2 from Springframework v4.3.19 RELEASE.

 

https://nvd.nist.gov/vuln/detail/CVE-2018-7489

https://nvd.nist.gov/vuln/detail/CVE-2017-15095

https://nvd.nist.gov/vuln/detail/CVE-2017-7525

https://nvd.nist.gov/vuln/detail/CVE-2017-17485

https://nvd.nist.gov/vuln/detail/CVE-2018-5968

 

Please either upgrade the component or document why Spring isn't affected by these vulnerabilities.


Affects: 4.3.19

@spring-projects-issues
Copy link
Collaborator Author

@spring-projects-issues spring-projects-issues commented Oct 13, 2018

Brian Clozel commented

Spring Framework 4.3 does not bring the Jackson dependency - it only compiles against it. Also, we're not compiling against 1.9 anyway.

You can see where this dependency is coming from using Maven (mvn dependency:tree) or Gradle (gradle dependencies), depending on your choice of build tool.

Did your scanner point to Spring Framework? If so, could you report that as a bug since Spring Framework doesn't depend strictly on Jackson?

This dependency is most likely coming from Spring Security OAuth. Could you create this issue against the Spring Security OAuth issue tracker?

https://github.com/spring-projects/spring-security-oauth/issues

@spring-projects-issues spring-projects-issues added status: invalid type: enhancement in: core and removed type: enhancement labels Jan 11, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
in: core status: invalid
Projects
None yet
Development

No branches or pull requests

1 participant