Vulnerability in Spring dependency 'jackson-mapper-asl 1.9.13' [SPR-17377] #21910
Labels
in: core
Issues in core modules (aop, beans, core, context, expression)
status: invalid
An issue that we don't feel is valid
Comments
|
Brian Clozel commented Spring Framework 4.3 does not bring the Jackson dependency - it only compiles against it. Also, we're not compiling against 1.9 anyway. You can see where this dependency is coming from using Maven ( Did your scanner point to Spring Framework? If so, could you report that as a bug since Spring Framework doesn't depend strictly on Jackson? This dependency is most likely coming from Spring Security OAuth. Could you create this issue against the Spring Security OAuth issue tracker? https://github.com/spring-projects/spring-security-oauth/issues |
spring-projects-issues
added
status: invalid
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Nick Eckert opened SPR-17377 and commented
Our binary scanner (Protecode SC) revealed a vulnerability in jackson-mapper-asl 1.9.13 which is a dependency of org.springframework.security.oauth2 from Springframework v4.3.19 RELEASE.
Please either upgrade the component or document why Spring isn't affected by this vulnerability.
Affects: 4.3.19
Reference URL: https://nvd.nist.gov/vuln/detail/CVE-2016-7051
The text was updated successfully, but these errors were encountered: