java-client-api icon indicating copy to clipboard operation
java-client-api copied to clipboard

Published 20 hours ago verified publisher icon marklogic

Upgrade to jackson-databind 2.14.0 when available

Open rjrudin opened this issue 2 years ago • 1 comments

This CVE - https://avd.aquasec.com/nvd/2022/cve-2022-42003/ - references an issue in < 2.14.0 jackson-databind . #1377 will get us onto 2.13.4 of jackson-databind, and 2.14.0 is not yet available - it's at rc2 as of today. Once 2.14.0 is available, we'll want to upgrade to it, along with 2.14.0 for all jackson dependencies.

rjrudin avatar Oct 12 '22 14:10 rjrudin

Looks like we can do 2.13.4.x instead and not have to wait for 2.14.0.

rjrudin avatar Oct 24 '22 15:10 rjrudin

Addressing via https://github.com/marklogic/java-client-api/pull/1425

rjrudin avatar Nov 01 '22 19:11 rjrudin