[CMS-13831] Update Jackson dependency to 2.10.5 and update SnakeYAML to 1.26 - Issues

XML

Word

Printable

Details

Type: Task
Status: Closed
Priority: Normal
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 12.6.11, 13.4.4, 14.3.0
Component/s: None
Labels:
None

Processed by team:
CI/CD
Sprint:
CI/CD Sprint 242

Description

According to the Jackson announce mailing list it's time to update to keep the scan tools happy. We are currently on 2.10.1 so update to 2.10.5 should be feasible, to be investigating of now is the time to go to 2.11.0 for 14.3.

Since there is already 2.11.0 available (and 2.10 and
2.11 both add features to fully block these attacks), we strongly recommend
downstream projects to start migrating away from versions 2.9 and older,
especially if you do use polymorphic deserialization as described on

https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062

Upgrade to 2.10.5 at least is recommended in general too, but is
especially useful to make vuln scan tools happy.

Attachments

Activity

People

Assignee:: Unassigned

Reporter:: Arent-Jan Banck (Inactive)

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 25/Aug/20 3:41 PM

Updated:: 31/Aug/20 10:36 AM

Resolved:: 31/Aug/20 10:36 AM