Transitive dependency on Jackson 2.8.8 with many known vulnerabilities

moquette-io / moquette

Java MQTT lightweight broker

http://moquette-io.github.io/moquette/

Apache License 2.0

2.27k stars 814 forks source link

Transitive dependency on Jackson 2.8.8 with many known vulnerabilities #698

Open wborn opened 1 year ago

wborn commented 1 year ago

The moquette-broker:0.15 artifact has a transitive dependency through librato-java:2.1.0 on Jackson 2.8.8 which has many known vulnerabilities:

CVE-2019-16942
CVE-2020-14062
CVE-2020-10969
CVE-2019-14439
CVE-2018-5968
CVE-2018-11307
CVE-2019-17267
CVE-2019-12384
CVE-2017-7525
CVE-2020-35491

It shows up in IntelliJ IDEA like this:

Screenshot from 2022-12-02 13-39-10

Dependency tree:

Screenshot from 2022-12-02 13-38-08

hylkevds commented 1 year ago

Librato is no longer maintained. We should move away from it.

hylkevds commented 1 year ago

That said, given that the Librato-reporter as used only serialises json, and doesn't de-serialise client-generated json, the vulnerabilities can't be triggered.