Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Vulnerability in Spring dependency 'jackson-core-asl 1.9.13' [SPR-17376] #21909

spring-projects-issues opened this issue Oct 12, 2018 · 1 comment
in: core status: invalid


Copy link

@spring-projects-issues spring-projects-issues commented Oct 12, 2018

Nick Eckert opened SPR-17376 and commented

Our binary scanner (Protecode SC) revealed vulnerabilities in jackson-core-asl 1.9.13 which is a dependency of jackson-mapper-asl 1.9.13 which is a dependency of from Springframework v4.3.19 RELEASE.


Please either upgrade the component or document why Spring isn't affected by these vulnerabilities.

Affects: 4.3.19

Copy link
Collaborator Author

@spring-projects-issues spring-projects-issues commented Oct 13, 2018

Brian Clozel commented

Spring Framework 4.3 does not bring the Jackson dependency - it only compiles against it. Also, we're not compiling against 1.9 anyway.

You can see where this dependency is coming from using Maven (mvn dependency:tree) or Gradle (gradle dependencies), depending on your choice of build tool.

Did your scanner point to Spring Framework? If so, could you report that as a bug since Spring Framework doesn't depend strictly on Jackson?

This dependency is most likely coming from Spring Security OAuth. Could you create this issue against the Spring Security OAuth issue tracker?

@spring-projects-issues spring-projects-issues added status: invalid type: enhancement in: core and removed type: enhancement labels Jan 11, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
in: core status: invalid
None yet

No branches or pull requests

1 participant