[jira] [Created] (TIKA-2964) Upgrade Jackson Databind dependency to 2.9.10.1 or 2.10.0 to fix latest CVEs

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

[jira] [Created] (TIKA-2964) Upgrade Jackson Databind dependency to 2.9.10.1 or 2.10.0 to fix latest CVEs

Sebastian Nagel (Jira)
Alex Ott created TIKA-2964:
------------------------------

             Summary: Upgrade Jackson Databind dependency to 2.9.10.1 or 2.10.0 to fix latest CVEs
                 Key: TIKA-2964
                 URL: https://issues.apache.org/jira/browse/TIKA-2964
             Project: Tika
          Issue Type: Bug
          Components: parser
    Affects Versions: 1.23
            Reporter: Alex Ott


When compiling the latest version of the source code, following error is reported:

{noformat}
[ERROR] Failed to execute goal org.sonatype.ossindex.maven:ossindex-maven-plugin:3.0.4:audit (audit-dependencies) on project tika-parsers: Detected 1 vulnerable components:
[ERROR]   com.fasterxml.jackson.core:jackson-databind:jar:2.9.10:compile; https://ossindex.sonatype.org/component/pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.10
[ERROR]     * [CVE-2019-16943] A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 th... (0.0); https://ossindex.sonatype.org/vuln/f4f0c103-c9d9-4308-bd8f-489f2a632680
[ERROR]     * [CVE-2019-16942] A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 th... (0.0); https://ossindex.sonatype.org/vuln/07632245-fcef-4eb3-82b6-aadbbfd2b33e
{noformat}

We need to bump version after the 2.9.10.1 is released or consider switching to 2.10 that isn't vulnerable...



--
This message was sent by Atlassian Jira
(v8.3.4#803005)