[DepShield] (CVSS 10.0) Vulnerability due to usage of com.fasterxml.jackson.core:jackson-databind:2.1.5

[sonatype-depshield-staging[bot]]

Vulnerabilities

DepShield reports that this application's usage of com.fasterxml.jackson.core:jackson-databind:2.1.5 results in the following vulnerability(s):

• (CVSS 10.0) [CVE-2018-14721] FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to cond...
• (CVSS 9.8) [CVE-2018-11307] An issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.5. Use o...
• (CVSS 9.8) [CVE-2018-7489] Incomplete Blacklist, Deserialization of Untrusted Data
• (CVSS 9.8) [CVE-2018-19362] Deserialization of Untrusted Data
• (CVSS 9.8) [CVE-2018-14719] Deserialization of Untrusted Data
• (CVSS 9.8) [CVE-2018-19360] Deserialization of Untrusted Data
• (CVSS 9.8) [CVE-2018-14718] Deserialization of Untrusted Data
• (CVSS 9.8) [CVE-2018-19361] Deserialization of Untrusted Data
• (CVSS 9.8) [CVE-2018-14720] Improper Restriction of XML External Entity Reference ("XXE")
• (CVSS 8.1) [CVE-2018-5968] Incomplete Blacklist, Deserialization of Untrusted Data
• (CVSS 7.5) [CVE-2019-12086] Information Exposure

---

Occurrences

com.fasterxml.jackson.core:jackson-databind:2.1.5 is a transitive dependency introduced by the following direct dependency(s):

• com.fasterxml.jackson.core:jackson-databind:2.1.5

• org.codehaus.modello:modello-plugin-jackson:1.8.4-SNAPSHOT         └─ com.fasterxml.jackson.core:jackson-databind:2.1.5

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

[simonetripodi]

com.fasterxml.jackson.core:jackson-databind:2.1.5 APIs are never used in the generated Jackson Modello reader/writer, since we just use the Streaming APIs, does it still the generated code being affected by the CVSS 10.0?

[whyjustin]

DepShield reports on vulnerabilities in a project's dependent components but does not determine if they are effective. Without knowing how the code is used in Modello, I could not answer that question. It seems that you've done your own review and found it not applicable so we can close this issue.