Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Feature Request] Bump jackson dependency due to possible CVE #882

Open
bgavrilMS opened this issue Nov 27, 2024 · 2 comments · May be fixed by #887
Open

[Feature Request] Bump jackson dependency due to possible CVE #882

bgavrilMS opened this issue Nov 27, 2024 · 2 comments · May be fixed by #887
Assignees
@Avery-Dunn
Labels
Bug Something isn't working, needs an investigation and a fix confidential-client For issues related to confidential client apps P2 Normal priority items, should be done after P1
Milestone
1.18.0

Comments

@bgavrilMS
Copy link
Member

MSAL client type

Public, Confidential, Managed identity

Problem Statement

See FasterXML/jackson-databind#3972 for details. While it is disputed, it is being taken into account by some compliance tools. Better to just upgrade.

Applicability to MSAL is very low, as MSAL only parses JSON that comes from the identity provider.

Proposed solution

Bump jackson-databind from 2.13.4.2 to 2.18.1 or higher

Alternatives

No response
@bgavrilMS bgavrilMS added needs attention Automatically used when an issue is created through an issue template untriaged Automatically used when an issue is created through an issue template Bug Something isn't working, needs an investigation and a fix P2 Normal priority items, should be done after P1 confidential-client For issues related to confidential client apps and removed needs attention Automatically used when an issue is created through an issue template untriaged Automatically used when an issue is created through an issue template labels Nov 27, 2024
@bgavrilMS
Copy link
Member Author

@Avery-Dunn - can you please include this in the next MSAL 4j release?

@Avery-Dunn Avery-Dunn linked a pull request Dec 10, 2024 that will close this issue
Open
@Avery-Dunn
Copy link
Collaborator

Just created a PR to resolve this: #887

It will definitely be in the next release, which should be out by the end of this week.

@Avery-Dunn Avery-Dunn added this to the 1.18.0 milestone Dec 10, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Avery-Dunn Avery-Dunn

Labels
Bug Something isn't working, needs an investigation and a fix confidential-client For issues related to confidential client apps P2 Normal priority items, should be done after P1
Projects
None yet
Milestone
1.18.0
Development

Successfully merging a pull request may close this issue.

Bump jackson-databind dependency AzureAD/microsoft-authentication-library-for-java
2 participants
@bgavrilMS @Avery-Dunn