Upgrade com.fasterxml.jackson.core:jackson-databind to 2.9.10.4 to remove CVE #595
Replies: 6 comments
-
|
@amaters-easy : can you let me know which Oxalis (Oxalis and Oxalis-AS4) version was scanned ? |
Beta Was this translation helpful? Give feedback.
-
|
The Oxalis-AS4 5.1.0 Release which has the Oxalis base version 5.1.0 |
Beta Was this translation helpful? Give feedback.
-
|
Only vefa-peppol component is using "jackson-databind" (and that too in "test" scope) com.github.tomakehurst:wiremock:jar:2.27.2:test Can you please run "mvn dependency:tree" in your product/project to find out from where mentioned older version of "jackson-databind" is coming for you @amaters-easy ? |
Beta Was this translation helpful? Give feedback.
-
|
@amaters-easy : We did not heard anything from you if you still have any questions... |
Beta Was this translation helpful? Give feedback.
-
|
Could answer any earlier. we run the docker AS4 version as it is. not as a Java project or anything like that. Perhaps some of the developers can run the mvn command? |
Beta Was this translation helpful? Give feedback.
-
|
Oxalis version 5.1.0 is using vefa-peppol 2.1.0 and which in turn is using version "2.11.0" of "com.fasterxml.jackson.core:jackson-databind:jar", hence it is Not an issue If you still have doubt than moving it to discussion. |
Beta Was this translation helpful? Give feedback.
-
According to our latest security scan the
The list of CVE's with impact High or Critical is quite long:
CVE-2018-14718, CVE-2018-14719, CVE-2018-14720, CVE-2018-14721, CVE-2018-19360, CVE-2018-19361, CVE-2018-19362, CVE-2019-14379, CVE-2019-14540, CVE-2019-14892, CVE-2019-14893, CVE-2019-16335, CVE-2019-16942, CVE-2019-16943, CVE-2019-17267, CVE-2019-17531, CVE-2019-20330, CVE-2020-8840, CVE-2020-9546, CVE-2020-9547, CVE-2020-9548, CVE-2019-12086, CVE-2019-14439, CVE-2020-10672, CVE-2020-10673
Beta Was this translation helpful? Give feedback.
All reactions