getting CVE-2020-36518 alert for - com.fasterxml.jackson.dataformat:jackson-dataformat-xml with severity High

FasterXML / jackson-dataformat-xml

Extension for Jackson JSON processor that adds support for serializing POJOs as XML (and deserializing from XML) as an alternative to JSON

Apache License 2.0

567 stars 221 forks source link

getting CVE-2020-36518 alert for - com.fasterxml.jackson.dataformat:jackson-dataformat-xml with severity High #518

Closed Syed-Shahul-Hameed closed 2 years ago

Syed-Shahul-Hameed commented 2 years ago

Hi Team,

Still getting CVE-2020-36518 alert for "com.fasterxml.jackson.dataformat". Can you please help on this, as this alert has High severity? Reference maven - https://mvnrepository.com/artifact/com.fasterxml.jackson.dataformat/jackson-dataformat-xml/2.13.2

Thanks in advance

torland-klev commented 2 years ago

You can upgrade the transitive dependency as such (for Gradle, probably similar for Maven)

implementation("com.fasterxml.jackson.dataformat:jackson-dataformat-xml:2.13.2")
constraints {
    implementation("com.fasterxml.jackson.core:jackson-databind") {
        version {
            require("2.13.2.2")
        }
        because("Previous versions are vulnerable to denial of service attacks - CVE-2020-36518")
    }
}