h2o-3 icon indicating copy to clipboard operation
h2o-3 copied to clipboard

Published 20 hours ago verified publisher icon h2oai

Upgrade jackson-databind in Main Standalone Jar

Open mn-mikke opened this issue 1 year ago • 2 comments

The current version has the following vulnerabilities.:

  • PRISMA-2023-0067

mn-mikke avatar Sep 12 '23 16:09 mn-mikke

This feature will require support for Java 19. Putting on hold for now.

mn-mikke avatar Sep 18 '23 16:09 mn-mikke

Hello, I am building an application using h2o but my container scanner has flagged a vulnerability for one of your Java dependencies (com.fasterxml.jackson.core). Could you please bump the version from 2.14.2 to 2.15.0 in the next release? Below you will see the output of the scanner. Thanks!

"vulnerabilities": [ { "CVE": "PRISMA-2023-0067", "CVSS": "7.50", "Fixed On": "24 Apr 23 00:00 UTC", "Link": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=PRISMA-2023-0067", "Package Name": "com.fasterxml.jackson.core_jackson-core", "Package Type": "Java", "Package Version": "2.14.2", "Severity": "high", "Status": "fixed in 2.15.0" }]

support ticket: https://support.h2o.ai/a/tickets/107321 https://support.h2o.ai/a/tickets/104745

wendycwong avatar Jan 30 '24 16:01 wendycwong