search

spring-cloud / spring-cloud-connectors

Library to let cloud applications connect to services
Apache License 2.0
185 stars 161 forks source link

Jackson Version bump to 2.11.4 #317

Closed pavanyalamanchili007 closed 2 years ago

pavanyalamanchili007 commented 3 years ago

Jackson Version bump to 2.11.4

pivotal-cla commented 3 years ago

@pavanyalamanchili007 Please sign the Contributor License Agreement!

Click here to manually synchronize the status of this Pull Request.

See the FAQ for frequently asked questions.

pivotal-cla commented 3 years ago

@pavanyalamanchili007 Thank you for signing the Contributor License Agreement!

pavanyalamanchili007 commented 3 years ago

@scottfrederick please review this and consider it. Version 2.11.4 has fewer vulnerabilities

raptorshots commented 3 years ago

This will be very helpful for many of us. Several of our applications are affected due to this

scottfrederick commented 3 years ago

I have been able to identify only one Jackson Databind CVE that has been reported against the version of Jackson being used by Spring Cloud Connectors, which was discussed in issue #315. As discussed in that issue, the CVE does not affect the Jackson Databind classes that Connectors uses.

Can you point to other CVEs that are relevant to the Jackson version currently used by this project?

raptorshots commented 3 years ago

I can only find that CVE. But popular Scanning tools are flagging this library due to Jackson vulnerability. Hence the request. I understand this particular CVE might not affect current version.

scottfrederick commented 2 years ago

Superseded by 98207f2f02f49cab56c91062f2e3c40b7f4c01cf