Open alexopoulos7 opened 1 year ago
Updating fasterxml library to 2.13.3 Trying to fix: https://cwe.mitre.org/data/definitions/502.html
Here for more comments: https://www.cybersecurity-help.cz/vulnerabilities/49367/
@alexopoulos7 Thanks for your contribution!
But sorry and unfortunately, we are not able to merge this immediately. This is because :
This is why we have kept Jackson versions such old so far. We're trying to resolve this problem fundamentally, through the "development" series, Embulk v0.10.
It was definitely a bad design. But we had to fight with it because the Embulk eco-system was already established when I took it over.
See:
The v0.10 effort needs a lot of plugins to "catch-up", and we've spent much time on the catch-ups.
After the catch-up, the Embulk core would have its own Jackson which is invisible to plugins, and plugins would have their own Jackson which are not interfered by the Embulk core. The core and plugins would be able to upgrade without any mutual locking.
We are aware of the vulnerability, of course. But after investigating it, we concluded that normal use-cases of Embulk are not highly impacted by it. Then we decided to keep it until the catch-ups and v0.10 are done.
Sorry for taking time on it. The catch-up has taken much longer time than expected, but I believe we're close to the goal...
Fix for issue #241