Closed Syed-Shahul-Hameed closed 2 years ago
You can upgrade the transitive dependency as such (for Gradle, probably similar for Maven)
implementation("com.fasterxml.jackson.dataformat:jackson-dataformat-xml:2.13.2")
constraints {
implementation("com.fasterxml.jackson.core:jackson-databind") {
version {
require("2.13.2.2")
}
because("Previous versions are vulnerable to denial of service attacks - CVE-2020-36518")
}
}
Hi Team,
Still getting CVE-2020-36518 alert for "com.fasterxml.jackson.dataformat". Can you please help on this, as this alert has High severity? Reference maven - https://mvnrepository.com/artifact/com.fasterxml.jackson.dataformat/jackson-dataformat-xml/2.13.2
Thanks in advance