(As I'm not sure how useful this URL will be after I resolve the alert, here the gist of
its content + my interpretation.)
com.fasterxml.jackson.core:jackson-databind was at version 2.8.8, which is affected
by a bunch of remote code execution vulnerabilities:
CVE-2017-17485
CVE-2018-7489
CVE-2017-7525
Versions from 2.8.11 or higher are not affected.
As the dependency version suggested by our parent pom (spring-boot-starter-parent)
is 2.9.6, we can just remove the version number here.
(I don't think the use of Jackson in this library is vulnerable, as
we are not parsing, only creating JSON, but it is better to not carry
broken dependency versions into any application.)
While doing this, I also removed some other version numbers in our pom.xml
which have the same or newer versions in the parent.
This was triggered by an alert from Github: https://github.com/zalando-nakadi/nakadi-producer-spring-boot-starter/network/alert/nakadi-producer/pom.xml/com.fasterxml.jackson.core:jackson-databind/open
(As I'm not sure how useful this URL will be after I resolve the alert, here the gist of its content + my interpretation.)
com.fasterxml.jackson.core:jackson-databind was at version 2.8.8, which is affected by a bunch of remote code execution vulnerabilities:
Versions from 2.8.11 or higher are not affected. As the dependency version suggested by our parent pom (spring-boot-starter-parent) is 2.9.6, we can just remove the version number here.
(I don't think the use of Jackson in this library is vulnerable, as we are not parsing, only creating JSON, but it is better to not carry broken dependency versions into any application.)
While doing this, I also removed some other version numbers in our pom.xml which have the same or newer versions in the parent.