Multiple Critical/High severity CVE's in the version of Jackson Databind #109
Labels
Comments
jswingle-git
changed the title
|
jackson-databind is used by Spark. In order to get this dependency to a version without CVE's the dependecy need to be bumped to latest in version 3.3.X or 3.2.X. I've tried to upgrade to the latest version of Spark, but then I get a compilation error on |
|
We have overridden the Jackson dependencies and created a custom docker container which we are using internally. Addresses the critical vulnerabilities: |
|
I've created #135 that bumped spark to the latest version and fixes all the above CVEs |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The version of jackson-databind is subject to the following:
critical CVE's
CVE-2018-14719
CVE-2019-20330
CVE-2019-14892
CVE-2018-19360
CVE-2020-9547
CVE-2020-9546
CVE-2018-19362
CVE-2018-19361
CVE-2018-14720
CVE-2017-15095
CVE-2019-14379
CVE-2019-14540
CVE-2019-17267
CVE-2019-14893
CVE-2018-14718
CVE-2018-7489
CVE-2020-9548
CVE-2020-8840
CVE-2018-11307
CVE-2019-16335
CVE-2019-16943
CVE-2017-17485
CVE-2019-17531
CVE-2018-14721
CVE-2019-16942
High CVE's
CVE-2020-14195
CVE-2020-36185
CVE-2020-36184
CVE-2020-14195
CVE-2020-24750
CVE-2020-35728
CVE-2019-12086
CVE-2020-36185
CVE-2020-36187
CVE-2020-24616
CVE-2018-5968
CVE-2020-36182
CVE-2020-11113
CVE-2020-11619
CVE-2020-11111
CVE-2018-12023
CVE-2020-11112
CVE-2020-11620
CVE-2020-10673
CVE-2020-10968
CVE-2020-10672
CVE-2020-10969
CVE-2020-14060
CVE-2019-14439
CVE-2018-12022
CVE-2020-14061
Can the jackson-databind dependency be updated to 2.9.10.8 or above?
The text was updated successfully, but these errors were encountered: