Introduce jackson-databind constraint for 2.12.7.1 (#2733)

Fixes CVE-2022-42003
Kotlin · Nov 10, 2022 · 7c3b403 · 7c3b403
1 parent 6319343
commit 7c3b403
Show file tree

Hide file tree

Showing 7 changed files with 38 additions and 0 deletions.
diff --git a/core/build.gradle.kts b/core/build.gradle.kts
@@ -15,6 +15,12 @@ dependencies {
     val jackson_version: String by project
     implementation("com.fasterxml.jackson.module:jackson-module-kotlin:$jackson_version")
     implementation("com.fasterxml.jackson.dataformat:jackson-dataformat-xml:$jackson_version")
+    val jackson_databind_version: String by project
+    constraints {
+        implementation("com.fasterxml.jackson.core:jackson-databind:$jackson_databind_version") {
+            because("CVE-2022-42003")
+        }
+    }
 
     val coroutines_version: String by project
     implementation("org.jetbrains.kotlinx:kotlinx-coroutines-core:$coroutines_version")

diff --git a/gradle.properties b/gradle.properties
@@ -11,6 +11,8 @@ idea_version=213.6777.52
 language_version=1.4
 # jackson 2.13.X does not support kotlin language version 1.4, check before updating
 jackson_version=2.12.7
+# fixes CVE-2022-42003
+jackson_databind_version=2.12.7.1
 freemarker_version=2.3.31
 # Code style
 kotlin.code.style=official

diff --git a/plugins/all-modules-page/build.gradle.kts b/plugins/all-modules-page/build.gradle.kts
@@ -18,6 +18,12 @@ dependencies {
     implementation("org.jetbrains.kotlinx:kotlinx-coroutines-core:$coroutines_version")
     val jackson_version: String by project
     implementation("com.fasterxml.jackson.module:jackson-module-kotlin:$jackson_version")
+    val jackson_databind_version: String by project
+    constraints {
+        implementation("com.fasterxml.jackson.core:jackson-databind:$jackson_databind_version") {
+            because("CVE-2022-42003")
+        }
+    }
     val kotlinx_html_version: String by project
     implementation("org.jetbrains.kotlinx:kotlinx-html-jvm:$kotlinx_html_version")
 

diff --git a/plugins/base/build.gradle.kts b/plugins/base/build.gradle.kts
@@ -11,6 +11,12 @@ dependencies {
 
     val jackson_version: String by project
     implementation("com.fasterxml.jackson.module:jackson-module-kotlin:$jackson_version")
+    val jackson_databind_version: String by project
+    constraints {
+        implementation("com.fasterxml.jackson.core:jackson-databind:$jackson_databind_version") {
+            because("CVE-2022-42003")
+        }
+    }
 
     val freemarker_version: String by project
     implementation("org.freemarker:freemarker:$freemarker_version")

diff --git a/plugins/gfm/build.gradle.kts b/plugins/gfm/build.gradle.kts
@@ -6,6 +6,12 @@ dependencies {
     testImplementation(project(":plugins:base:base-test-utils"))
     val jackson_version: String by project
     implementation("com.fasterxml.jackson.module:jackson-module-kotlin:$jackson_version")
+    val jackson_databind_version: String by project
+    constraints {
+        implementation("com.fasterxml.jackson.core:jackson-databind:$jackson_databind_version") {
+            because("CVE-2022-42003")
+        }
+    }
 }
 
 registerDokkaArtifactPublication("gfmPlugin") {

diff --git a/plugins/templating/build.gradle.kts b/plugins/templating/build.gradle.kts
@@ -11,6 +11,12 @@ dependencies {
     implementation("org.jetbrains.kotlinx:kotlinx-coroutines-core:$coroutines_version")
     val jackson_version: String by project
     implementation("com.fasterxml.jackson.module:jackson-module-kotlin:$jackson_version")
+    val jackson_databind_version: String by project
+    constraints {
+        implementation("com.fasterxml.jackson.core:jackson-databind:$jackson_databind_version") {
+            because("CVE-2022-42003")
+        }
+    }
     val kotlinx_html_version: String by project
     implementation("org.jetbrains.kotlinx:kotlinx-html-jvm:$kotlinx_html_version")
 

diff --git a/plugins/versioning/build.gradle.kts b/plugins/versioning/build.gradle.kts
@@ -12,6 +12,12 @@ dependencies {
     implementation("org.jetbrains.kotlinx:kotlinx-coroutines-core:$coroutines_version")
     val jackson_version: String by project
     implementation("com.fasterxml.jackson.module:jackson-module-kotlin:$jackson_version")
+    val jackson_databind_version: String by project
+    constraints {
+        implementation("com.fasterxml.jackson.core:jackson-databind:$jackson_databind_version") {
+            because("CVE-2022-42003")
+        }
+    }
     val kotlinx_html_version: String by project
     implementation("org.jetbrains.kotlinx:kotlinx-html-jvm:$kotlinx_html_version")