connector-x
connector-x copied to clipboard
Published
20 hours ago •
sfu-db
sfu-db
Several critical vulnerabilities in connector-x dependencies
Describe your feature request
It seems that connector-x has several critical and high severity vulnerabilities open, stemming from e.g., com.fasterxml.jackson.core:jackson-databind, org.yaml:snakeyaml, and others. See below for a full listing of critical vulnerabilities, but note that there are others too.
I think it would be great not only to have these patched but also update the CI process to scan for vulnerabilities. As it stands, these vulnerabilities completely prevent the use of connector-x in certain organizations.
| SEVERITY | IMPACTED PACKAGE | IMPACTED PACKAGE VERSION | TYPE | FIXED VERSIONS | COMPONENT | COMPONENT VERSION | CVE |
|---|---|---|---|---|---|---|---|
| Critical | com.fasterxml.jackson.core:jackson-databind | 2.10.0 | Maven | [2.10.1] | connectorx | 0.3.2 | CVE-2019-16942 |
| [2.6.7.3] | |||||||
| [2.7.9.7] | |||||||
| [2.8.11.5] | |||||||
| [2.9.10.1] | |||||||
| ---------- | com.fasterxml.jackson.core:jackson-databind | 2.10.0.pr1 | Maven | [2.10.1] | connectorx | 0.3.2 | CVE-2019-16942 |
| [2.6.7.3] | |||||||
| [2.7.9.7] | |||||||
| [2.8.11.5] | |||||||
| [2.9.10.1] | |||||||
| ---------- | com.fasterxml.jackson.core:jackson-databind | 2.10.0.pr1 | Maven | [2.10.1] | connectorx | 0.3.2 | CVE-2019-16942 |
| [2.6.7.3] | |||||||
| [2.7.9.7] | |||||||
| [2.8.11.5] | |||||||
| [2.9.10.1] | |||||||
| ---------- | com.fasterxml.jackson.core:jackson-databind | 2.10.0 | Maven | [2.10.1] | connectorx | 0.3.2 | CVE-2019-16942 |
| [2.6.7.3] | |||||||
| [2.7.9.7] | |||||||
| [2.8.11.5] | |||||||
| [2.9.10.1] | |||||||
| ---------- | org.yaml:snakeyaml | 1.24 | Maven | [2.0] | connectorx | 0.3.2 | CVE-2022-1471 |
| ---------- | com.fasterxml.jackson.core:jackson-databind | 2.10.0.pr1 | Maven | [2.10.1] | connectorx | 0.3.2 | CVE-2019-16942 |
| [2.6.7.3] | |||||||
| [2.7.9.7] | |||||||
| [2.8.11.5] | |||||||
| [2.9.10.1] | |||||||
| ---------- | com.fasterxml.jackson.core:jackson-databind | 2.10.0.pr1 | Maven | [2.10.1] | connectorx | 0.3.2 | CVE-2019-16942 |
| [2.6.7.3] | |||||||
| [2.7.9.7] | |||||||
| [2.8.11.5] | |||||||
| [2.9.10.1] | |||||||
| ---------- | com.fasterxml.jackson.core:jackson-databind | 2.10.0 | Maven | [2.10.1] | connectorx | 0.3.2 | CVE-2019-16942 |
| [2.6.7.3] | |||||||
| [2.7.9.7] | |||||||
| [2.8.11.5] | |||||||
| [2.9.10.1] | |||||||
| ---------- | org.yaml:snakeyaml | 1.24 | Maven | [2.0] | connectorx | 0.3.2 | CVE-2022-1471 |
| ---------- | org.yaml:snakeyaml | 1.24 | Maven | [2.0] | connectorx | 0.3.2 | CVE-2022-1471 |
| ---------- | com.fasterxml.jackson.core:jackson-databind | 2.10.0.pr1 | Maven | [2.10.1] | connectorx | 0.3.2 | CVE-2019-16942 |
| [2.6.7.3] | |||||||
| [2.7.9.7] | |||||||
| [2.8.11.5] | |||||||
| [2.9.10.1] | |||||||
| ---------- | com.fasterxml.jackson.core:jackson-databind | 2.10.0 | Maven | [2.10.1] | connectorx | 0.3.2 | CVE-2019-16942 |
I don't know. If it is, there should be automation to bump them in the future too.