twitter / finatra

Fast, testable, Scala services built on TwitterServer and Finagle

https://twitter.github.io/finatra/

Apache License 2.0

2.27k stars 406 forks source link

finatra: Fix Jackson Databind vulnerabilities #499

Closed kittsville closed 5 years ago

kittsville commented 5 years ago

Problem

Jackson Databind has multiple high severity vulnerabilities:

And a medium severity vulnerability:

https://nvd.nist.gov/vuln/detail/CVE-2018-1000873

Solution

Update Jackson Databind to a version not vulnerable

kittsville commented 5 years ago

Sorry for the PR spam. Work's vuln scanning re-ran this morning and found more 😅

codecov[bot] commented 5 years ago

Codecov Report

Merging #499 into develop will not change coverage. The diff coverage is n/a.

@@           Coverage Diff           @@
##           develop    #499   +/-   ##
=======================================
  Coverage     92.5%   92.5%           
=======================================
  Files          247     247           
  Lines         3895    3895           
  Branches       287     287           
=======================================
  Hits          3603    3603           
  Misses         292     292

Continue to review full report at Codecov.

Legend - Click here to learn more Δ = absolute <relative> (impact), ø = not affected, ? = missing data Powered by Codecov. Last update cd2d5be...67e5d7a. Read the comment docs.

cacoco commented 5 years ago

Hi @kittsville we've update the version of Jackson to 2.9.8 in 0a96d2caa9339675682f34d7889c6037ab104387.

kittsville commented 5 years ago

Danke :sparkles: