Multiple CVE's exists on the jackson version used by the intercom library.

[XanderAtBackboneSystems]

When analyzing our project (which includes intercom java library version 2.8.0) using CVE dependency checker. Multiple CVE's are detected on the jackson dependencies of the intercom java library.

The offending dependencies are:

- com.fasterxml.jackson.core:jackson-core:jar:2.9.6
  CVE: CVE-2020-24616
- com.fasterxml.jackson.core:jackson-annotations:jar:2.9.6
  CVE: CVE-2020-24616
- com.fasterxml.jackson.core:jackson-databind:jar:2.9.6
  CVE: CVE-2020-9547, CVE-2020-9548, CVE-2019-14379, CVE-2020-14195, CVE-2019-14439, CVE-2020-10969, CVE-2020-11619, CVE-2019-12814, CVE-2020-10968, CVE-2019-20330, CVE-2020-10673, CVE-2020-11620, CVE-2018-14718, CVE-2018-1000873, CVE-2018-14719, CVE-2019-17531, CVE-2020-10672, CVE-2019-12086, CVE-2019-14540, CVE-2019-12384, CVE-2020-9546, CVE-2020-14060, CVE-2020-14061, CVE-2020-14062, CVE-2019-16942, CVE-2019-16943, CVE-2018-19362, CVE-2018-19361, CVE-2018-19360, CVE-2020-11113, CVE-2019-17267, CVE-2019-16335, CVE-2018-14721, CVE-2020-11112, CVE-2018-14720, CVE-2019-14893, CVE-2020-11111, CVE-2020-8840, CVE-2019-14892

Upgrading jackson to a new version would solve many of these issues. The most safe candidate without CVE's would be 2.9.10 (for databind 2.9.10.6).

Of course upgrade to 2.10 or 2.11 is also possible.

Attached is the output of the maven plugin: output.log

[XanderAtBackboneSystems]

Dear @SeanHealy33, Thank you for upgrading jackson to a new version with fewer CVE's. Unfortunately you did not upgrade jackson-databind to version 2.9.10.6(currently 2.9.10.8 already exists). Thererfor some of the above CVE's is still present.

[SeanHealy33]

Thanks again @XanderAtBackboneSystems for looking into this!