carm-es / csvstorage

Proyecto para la instalación y desarrollo evolutivo de la versión distribuible de CSV Storage del Centro de Transferencia Tecnológica: https://administracionelectronica.gob.es/ctt/inside
European Union Public License 1.1
4 stars 2 forks source link

CVE com.fasterxml.jackson.core:jackson-databind 2.6.7 - minor upgrade #6

Open carm-es opened 5 years ago

carm-es commented 5 years ago

Actualizar com.fasterxml.jackson.core:jackson-databind a la versión mínima 2.9.10.7. Actualmente el proyecto tiene una dependencia con com.fasterxml.jackson.core:jackson-databind:2.6.7

Los CVEs reportados para las versiones previas a com.fasterxml.jackson.core:jackson-databind:2.9.10.7 son:

https://nvd.nist.gov/vuln/detail/CVE-2020-25649 https://nvd.nist.gov/vuln/detail/CVE-2021-20190 https://nvd.nist.gov/vuln/detail/CVE-2018-5968 https://nvd.nist.gov/vuln/detail/CVE-2019-17267 https://nvd.nist.gov/vuln/detail/CVE-2020-9548 https://nvd.nist.gov/vuln/detail/CVE-2020-9547 https://nvd.nist.gov/vuln/detail/CVE-2020-10673 https://nvd.nist.gov/vuln/detail/CVE-2019-14892 https://nvd.nist.gov/vuln/detail/CVE-2020-8840 https://nvd.nist.gov/vuln/detail/CVE-2019-20330 https://nvd.nist.gov/vuln/detail/CVE-2017-7525 https://nvd.nist.gov/vuln/detail/CVE-2019-16943 https://nvd.nist.gov/vuln/detail/CVE-2019-17531 https://nvd.nist.gov/vuln/detail/CVE-2019-16942 https://nvd.nist.gov/vuln/detail/CVE-2019-12384 https://nvd.nist.gov/vuln/detail/CVE-2019-16335 https://nvd.nist.gov/vuln/detail/CVE-2019-14540 https://nvd.nist.gov/vuln/detail/CVE-2019-14379 https://nvd.nist.gov/vuln/detail/CVE-2019-14439 https://nvd.nist.gov/vuln/detail/CVE-2019-12814 https://nvd.nist.gov/vuln/detail/CVE-2018-11307 https://nvd.nist.gov/vuln/detail/CVE-2019-12086 https://nvd.nist.gov/vuln/detail/CVE-2018-12022 https://nvd.nist.gov/vuln/detail/CVE-2017-17485 https://nvd.nist.gov/vuln/detail/CVE-2017-15095 https://nvd.nist.gov/vuln/detail/CVE-2018-7489

ja-garcia commented 4 years ago

Este issue queda pospuesto intencionadamente, tras comprobar como parte de #46, que existe incompatiblidad del upgrade de jackson-databind (subir el minor por encima de la 2.6) con spring-boot-starter-actuator 1.3.8. Por lo tanto, sería recomendable abordar este issue conjuntamemnte a #4 (además, también se ha probado el upgrade de spring-boot, por encima de la versión 1.3, pero requiere migrar a log4j2).