Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade libs to prevent security issues - CVE #178

Closed
byjoaofilipe opened this issue Feb 22, 2021 · 4 comments
Closed

Upgrade libs to prevent security issues - CVE #178

byjoaofilipe opened this issue Feb 22, 2021 · 4 comments

Comments

@byjoaofilipe
Copy link

byjoaofilipe commented Feb 22, 2021
edited
Loading

It was identified by OWASP dependency-checker tool that exists vulnerabilities in:

<!-- https://mvnrepository.com/artifact/net.sf.jasperreports/jasperreports -->
<dependency>
    <groupId>net.sf.jasperreports</groupId>
    <artifactId>jasperreports</artifactId>
    <version>6.16.0</version>
</dependency>

CVE-2020-25649

To prevent this security issues, please, upgrade to the latest version the following libraries (see image below):

image
@teodord
Copy link
Collaborator

teodord commented Mar 4, 2021

It is not clear to me to which version should we upgrade?
Is it specified anywhere that this was solved/fixed in subsequent release of Jackson Databind?

@byjoaofilipe
Copy link
Author

Hello @teodord

If you want to solve this security issues, you can upgrade to this version (latest version):
https://mvnrepository.com/artifact/com.fasterxml.jackson.core/jackson-databind/2.12.2

With this upgrade, you mitigate/prevent the risks.
Thank you.

@teodord
Copy link
Collaborator

teodord commented Mar 4, 2021

Thanks for the quick reply.

But is there a way to have written confirmation that this particular CVE is solved in this particular version?
How do we know is fixed? Who said so and where?

teodord added a commit that referenced this issue Mar 8, 2021
@teodord
gh-178: jackson upgrade
b3e7721
@teodord
Copy link
Collaborator

teodord commented Mar 8, 2021

Indeed, the Github CVE link you provided above had the required information.

Thank you,
Teodor

@teodord teodord closed this as completed Mar 8, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@teodord @byjoaofilipe