Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2020-36518: Bump jackson-databind to 2.13.2.2 #1690

Merged
merged 1 commit into from
Apr 4, 2022
Merged

CVE-2020-36518: Bump jackson-databind to 2.13.2.2 #1690

merged 1 commit into from
Apr 4, 2022

Conversation

lmr3796
Copy link
Contributor

@lmr3796 lmr3796 commented Apr 1, 2022

This resolves #1689 .

There's a follow-up fix for the CVE in jackson-databind 2.12.6.1+/2.13.2.2+

@efeg
Copy link

efeg commented Apr 1, 2022

@gracekarina Would you please help reviewing this PR?

@lmr3796 lmr3796 force-pushed the patch-1 branch 3 times, most recently from d36d7a6 to 05a06a5 Compare April 2, 2022 00:25
@lmr3796
Copy link
Contributor Author

lmr3796 commented Apr 2, 2022

Also @gracekarina it'd be nice if I can also get approval for running build workflows for the PR.

@lmr3796
CVE-2020-36518: Bump jackson-databind to 2.13.2.2
5cb1f1c 
This resolves swagger-api#1689 .

There's a follow-up fix for the CVE in jackson-databind 2.12.6.1+/2.13.2.2+
@frantuma frantuma merged commit ade41be into swagger-api:master Apr 4, 2022
@frantuma
Copy link
Member

frantuma commented Apr 4, 2022

Thanks!

@lmr3796 lmr3796 deleted the patch-1 branch April 4, 2022 16:55
@efeg
Copy link

efeg commented Apr 27, 2022
edited
Loading

@frantuma @lmr3796 Looks like this change still leaves some dependencies to com.fasterxml.jackson.core:jackson-databind:2.13.2, which is a version that still has the vulnerability.

Hence, io.swagger.parser.v3:swagger-parser-v3:2.0.32 still has the vulnerability.

Update: @frantuma My mistake, it is all good!

@efeg efeg mentioned this pull request Apr 27, 2022
Closed
@frantuma
Copy link
Member

@efeg maybe I am missing something, but jackson-databind dep is directly declaring 2.13.2.2 which includes the fix. Can you clarify where you see previous version used?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

jackson-databind 2.12.6 is still vulnerable and should be bumped
3 participants
@lmr3796 @efeg @frantuma