geometry-api-java icon indicating copy to clipboard operation
geometry-api-java copied to clipboard

There is a vulnerability in Jackson Core 2.9.6 ,upgrade recommended

Open QiAnXinCodeSafe opened this issue 4 years ago • 2 comments

https://github.com/Esri/geometry-api-java/blob/a1af6612f4de7fc1baee1c331c335f154a4a96c9/pom.xml#L112-L117

Reference source:https://github.com/FasterXML/jackson-core/issues/488

QiAnXinCodeSafe avatar Oct 09 '20 03:10 QiAnXinCodeSafe

@randallwhitman fyi

stolstov avatar Oct 09 '20 03:10 stolstov

The deployed version of Jackson would matter more than the compile-dependency version. In production, one should almost always deploy a newer version than the declared compile-time dependency. That said, Jackson-2.10 finally resolves the issue underlying the perpetual jackson-databind vulnerabilities.

randallwhitman avatar Oct 09 '20 15:10 randallwhitman