Update jackson-databind due to security issue #24667
Labels
area/jackson
Issues related to Jackson (JSON library)
area/security
kind/bug
Something isn't working
Describe the bug
The most recent version (2.7.5.Final) of the dependency io.quarkus:quarkus-smallrye-jwt contains jackson-databind (version 2.13.1). This version of jackson-databind contains CVE-2020-36518.
Here is a part of the mvn dependency:tree output:
[INFO] +- io.quarkus:quarkus-smallrye-jwt:jar:2.7.5.Final:compile
[INFO] | +- io.smallrye:smallrye-jwt:jar:3.3.3:compile
[INFO] | | +- org.eclipse.microprofile.jwt:microprofile-jwt-auth-api:jar:1.2:compile
[INFO] | | +- org.bitbucket.b_c:jose4j:jar:0.7.9:compile
[INFO] | | - io.smallrye:smallrye-jwt-common:jar:3.3.3:compile
[INFO] | +- jakarta.annotation:jakarta.annotation-api:jar:1.3.5:compile
[INFO] | +- io.quarkus:quarkus-reactive-routes:jar:2.7.5.Final:compile
[INFO] | | +- io.quarkus:quarkus-jackson:jar:2.7.5.Final:compile
[INFO] | | | +- com.fasterxml.jackson.datatype:jackson-datatype-jsr310:jar:2.13.1:compile
[INFO] | | | +- com.fasterxml.jackson.datatype:jackson-datatype-jdk8:jar:2.13.1:compile
[INFO] | | | - com.fasterxml.jackson.module:jackson-module-parameter-names:jar:2.13.1:compile
[INFO] | | - io.smallrye.common:smallrye-common-annotation:jar:1.10.0:compile
Can you please update to the newest version of jackson-databind (2.13.2.2). This would resolve the security issue.
Expected behavior
Can you please update to the newest version of jackson-databind (2.13.2.2). This would resolve the security issue.
Actual behavior
No response
How to Reproduce?
No response
Output of
uname -a
orver
No response
Output of
java -version
No response
GraalVM version (if different from Java)
No response
Quarkus version or git rev
No response
Build tool (ie. output of
mvnw --version
orgradlew --version
)No response
Additional information
No response
The text was updated successfully, but these errors were encountered: