There is a vulnerability in Jackson Core 2.9.6 ,upgrade recommended

Esri / geometry-api-java

The Esri Geometry API for Java enables developers to write custom applications for analysis of spatial data. This API is used in the Esri GIS Tools for Hadoop and other 3rd-party data processing solutions.

Apache License 2.0

693 stars 260 forks source link

There is a vulnerability in Jackson Core 2.9.6 ,upgrade recommended #277

Open QiAnXinCodeSafe opened 4 years ago

QiAnXinCodeSafe commented 4 years ago

https://github.com/Esri/geometry-api-java/blob/a1af6612f4de7fc1baee1c331c335f154a4a96c9/pom.xml#L112-L117

Reference source:https://github.com/FasterXML/jackson-core/issues/488

stolstov commented 4 years ago

@randallwhitman fyi

randallwhitman commented 4 years ago

The deployed version of Jackson would matter more than the compile-dependency version. In production, one should almost always deploy a newer version than the declared compile-time dependency. That said, Jackson-2.10 finally resolves the issue underlying the perpetual jackson-databind vulnerabilities.