MavenGate (CVE) - Githubissues

FasterXML / jackson-jaxrs-providers

Multi-module project that contains Jackson-based "old" JAX-RS (ones under `javax.ws.rs`) providers for JSON, XML, YAML, Smile, CBOR formats

Apache License 2.0

111 stars 78 forks source link

MavenGate (CVE) #182

Closed amareshdlphx closed 7 months ago

amareshdlphx commented 7 months ago

XFrog triggers an alert XRAY-589059 on packages:

com.fasterxml.jackson.jaxrs:jackson-jaxrs-json-provider
com.fasterxml.jackson.jaxrs:jackson-jaxrs-base
com.fasterxml.jackson.core:jackson-databind
com.fasterxml.jackson.core:jackson-core
com.fasterxml.jackson.core:jackson-annotations

Looks like domain name com.fasterxml.jackson.jaxrs is not registered hence the groupId can be claimed by malicious user.

cowtowncoder commented 7 months ago

@amareshdlphx That is not true. fasterxml.com domain is registered by me; has been for years. Please do not spread FUD when you do not actually have information on subject. You could -- for example -- have checked out web page served from http://fasterxml.com/ .