Open karolinepauls opened 3 years ago
We released 0.9.4, is this still an issue?
0.9.4
is vulnerable to:
+----------------+----------+------+----------------------------------------------------------+----------+--------------------------+------------+----------------------------------------------------------+
| CVE | SEVERITY | CVSS | PACKAGE | VERSION | STATUS | PUBLISHED | DESCRIPTION |
+----------------+----------+------+----------------------------------------------------------+----------+--------------------------+------------+----------------------------------------------------------+
| CVE-2020-28491 | high | 7.50 | com.fasterxml.jackson.dataformat_jackson-dataformat-cbor | 2.10.5 | fixed in 2.11.4, 2.12.1 | > 3 months | This affects the package |
| | | | | | > 3 months ago | | com.fasterxml.jackson.dataformat:jackson-dataformat-cbor |
| | | | | | | | from 0 and before 2.11.4, from 2.12.0-rc1 and before |
| | | | | | | | 2.12.1. Uncheck... |
Any update on the CVE-2020-28491? Thank you.
0.9.3 is still vulnerable to:
I checked the master with
sbt update
andsbt dependencyTree
and it installs the patched version of jackson-databind.