BGehrels
commented
5 years ago 👍
Closed ePaul closed 5 years ago
BGehrels
commented
5 years ago 👍
ePaul
commented
5 years ago :+1:
This was triggered by an alert from Github: https://github.com/zalando-nakadi/nakadi-producer-spring-boot-starter/network/alert/nakadi-producer/pom.xml/com.fasterxml.jackson.core:jackson-databind/open
(As I'm not sure how useful this URL will be after I resolve the alert, here the gist of its content + my interpretation.)
com.fasterxml.jackson.core:jackson-databind was at version 2.8.8, which is affected by a bunch of remote code execution vulnerabilities:
Versions from 2.8.11 or higher are not affected. As the dependency version suggested by our parent pom (spring-boot-starter-parent) is 2.9.6, we can just remove the version number here.
(I don't think the use of Jackson in this library is vulnerable, as we are not parsing, only creating JSON, but it is better to not carry broken dependency versions into any application.)
While doing this, I also removed some other version numbers in our pom.xml which have the same or newer versions in the parent.