jackson-dataformat-cbor vulnerability
39 views
Skip to first unread message
usul...@gmail.com
Mar 14, 2021, 6:08:20 AM3/14/21
to dropwizard-user
Hello,
snyk.io are reporting this DoS vulnerability for jackson-dataformat-cbor versions [0,2.11.4) || [2.12.0-rc1,2.12.1).
This vulnerability still exist on the latest Dropwizard release (v2.0.20), since the Jackson version used is "2.10.5.20201202" which is dependant on jackson-bom tag "jackson-bom-2.10.5.20201202" which reference this vulnerable cbor version.
This is fixed on version 2.11.4 and up or 2.12.1 and up.
Version 2.12.2 is on Dropwizard master for 2 months, but I don't know why it was not released on any Dropwizard release since.
Would you be able to tell if we have a roadmap for jackson upgrade soon?
Thanks,
Uziel
Jochen Schalanda
Mar 14, 2021, 8:15:29 AM3/14/21
to dropwizard-user
Hi Uziel,
we won't upgrade to Jackson 2.11 or 2.12 in Dropwizard 2.0.x to avoid breaking our users' applications in a patch upgrade.
Since we don't use the Jackson CBOR module in Dropwizard itself, I think this is a sensible strategy.
This being said, you can probably import the Jackson 2.11 or 2.12 BOM in your build and it might just work out of the box.
Cheers,
Jochen
we won't upgrade to Jackson 2.11 or 2.12 in Dropwizard 2.0.x to avoid breaking our users' applications in a patch upgrade.
Since we don't use the Jackson CBOR module in Dropwizard itself, I think this is a sensible strategy.
This being said, you can probably import the Jackson 2.11 or 2.12 BOM in your build and it might just work out of the box.
Cheers,
Jochen
Reply all
Reply to author
Forward
0 new messages