Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and
privacy statement. We’ll occasionally send you account related emails.
Already on GitHub?
to your account
Nick Eckert opened SPR-17377 and commented
Our binary scanner (Protecode SC) revealed a vulnerability in jackson-mapper-asl 1.9.13 which is a dependency of org.springframework.security.oauth2 from Springframework v4.3.19 RELEASE.
Please either upgrade the component or document why Spring isn't affected by this vulnerability.
Reference URL: https://nvd.nist.gov/vuln/detail/CVE-2016-7051
The text was updated successfully, but these errors were encountered:
Brian Clozel commented
Spring Framework 4.3 does not bring the Jackson dependency - it only compiles against it. Also, we're not compiling against 1.9 anyway.
You can see where this dependency is coming from using Maven (mvn dependency:tree) or Gradle (gradle dependencies), depending on your choice of build tool.
Did your scanner point to Spring Framework? If so, could you report that as a bug since Spring Framework doesn't depend strictly on Jackson?
This dependency is most likely coming from Spring Security OAuth. Could you create this issue against the Spring Security OAuth issue tracker?
Sorry, something went wrong.
No branches or pull requests