Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update jackson-databind due to security issue #24667

Closed
JaquelineP opened this issue Mar 31, 2022 · 6 comments
Closed

Update jackson-databind due to security issue #24667

JaquelineP opened this issue Mar 31, 2022 · 6 comments
Labels
area/jackson Issues related to Jackson (JSON library) area/security kind/bug Something isn't working

Comments

@JaquelineP
Copy link

Describe the bug

The most recent version (2.7.5.Final) of the dependency io.quarkus:quarkus-smallrye-jwt contains jackson-databind (version 2.13.1). This version of jackson-databind contains CVE-2020-36518.

Here is a part of the mvn dependency:tree output:

[INFO] +- io.quarkus:quarkus-smallrye-jwt:jar:2.7.5.Final:compile
[INFO] | +- io.smallrye:smallrye-jwt:jar:3.3.3:compile
[INFO] | | +- org.eclipse.microprofile.jwt:microprofile-jwt-auth-api:jar:1.2:compile
[INFO] | | +- org.bitbucket.b_c:jose4j:jar:0.7.9:compile
[INFO] | | - io.smallrye:smallrye-jwt-common:jar:3.3.3:compile
[INFO] | +- jakarta.annotation:jakarta.annotation-api:jar:1.3.5:compile
[INFO] | +- io.quarkus:quarkus-reactive-routes:jar:2.7.5.Final:compile
[INFO] | | +- io.quarkus:quarkus-jackson:jar:2.7.5.Final:compile
[INFO] | | | +- com.fasterxml.jackson.datatype:jackson-datatype-jsr310:jar:2.13.1:compile
[INFO] | | | +- com.fasterxml.jackson.datatype:jackson-datatype-jdk8:jar:2.13.1:compile
[INFO] | | | - com.fasterxml.jackson.module:jackson-module-parameter-names:jar:2.13.1:compile
[INFO] | | - io.smallrye.common:smallrye-common-annotation:jar:1.10.0:compile

Can you please update to the newest version of jackson-databind (2.13.2.2). This would resolve the security issue.

Expected behavior

Can you please update to the newest version of jackson-databind (2.13.2.2). This would resolve the security issue.

Actual behavior

No response

How to Reproduce?

No response

Output of uname -a or ver

No response

Output of java -version

No response

GraalVM version (if different from Java)

No response

Quarkus version or git rev

No response

Build tool (ie. output of mvnw --version or gradlew --version)

No response

Additional information

No response
@JaquelineP JaquelineP added the kind/bug Something isn't working label Mar 31, 2022
@quarkus-bot quarkus-bot bot added area/jackson Issues related to Jackson (JSON library) area/security labels Mar 31, 2022
@quarkus-bot
Copy link

quarkus-bot bot commented Mar 31, 2022

/cc @geoand, @gsmet, @sberyozkin

@geoand
Copy link
Contributor

geoand commented Mar 31, 2022

If dependabot does update tonight, I'll do it manually

@JaquelineP
Copy link
Author

Okay, thanks.

@geoand
Copy link
Contributor

geoand commented Mar 31, 2022 via email

@gsmet
Copy link
Member

gsmet commented Mar 31, 2022

It already has been updated there: #24554 and backported to 2.8.0.Final which will be released next week.

@gsmet gsmet closed this as completed Mar 31, 2022
@geoand
Copy link
Contributor

geoand commented Mar 31, 2022

Great, thanks

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/jackson Issues related to Jackson (JSON library) area/security kind/bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@gsmet @geoand @JaquelineP