search

j-easy / easy-rules

The simple, stupid rules engine for Java
https://github.com/j-easy/easy-rules/wiki
MIT License
4.88k stars 1.05k forks source link

Jackson upgrade for vulnerability issue #405

Open junaidwarsivd opened 1 year ago

junaidwarsivd commented 1 year ago

current version of Jackson being used in release easyrules release (4.1.0) has a vulnerability issues Deserialization of Untrusted Data (High) - CWE-502 XML External Entity (XXE) Injection (High) - CWE-611 - CVE-2020-25649 Denial of Service (DoS) - CWE-400 this PR is for the upgrade for jackson databind dependency which covers the issues mentioned above

SebaMutuku commented 1 year ago

@fmbenhassine do you have sometime to look at this and maybe merge it?

fmbenhassine commented 1 year ago

Yes. I am planning to do a release soon. I will make sure to include updated dependencies.

melloware commented 1 year ago

Any update on this?

pdob-git commented 9 months ago

@junaidwarsivd Thank you very much. I have updated my project from your fork 😄 👍

Joe2k commented 8 months ago

@fmbenhassine Any update on the release? Also possible to look into this issue where exception is happening in JDK 21. Thanks a lot!

xiangdyzz commented 4 weeks ago

Why not merge?

xiangdyzz commented 4 weeks ago

https://central.sonatype.com/artifact/io.github.dvgaba/easy-rules it's safe?