[JOC-1270] Update jackson-databind to 2.13.2.1 due to 3rd party vulnerability issue CVE-2020-36518 - SOS JIRA

XML

Word

Printable

Details

Type: Fix
Status: Released (View Workflow)
Priority: Minor
Resolution: Fixed
Affects Version/s: 1.13.12, 2.2.3
Fix Version/s: 1.13.13, 2.3.0
Component/s: None
Labels:
None

CVE-ID:
CVE-2020-36518

Description

Current Situation

Currently JOC Cockpit (JS1 and JS7), Agent (JS1 and JS7) and Master (JS1 only) make use of jackson-databind version 2.9.10.8.
a vulnerability affect this version
- see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36518

Desired Behavior

Due to a vulnerability Issue of older jackson-databind releases JOC Cockpit (JS1 and JS7), Agent (JS1 and JS7) and Master (JS1 only) should make use of the current version 2.13.2.1 that fixes the issue.
Additionally jackson-core, jackson-annotations, jackson-module-jaxb-annotations and jackson-dataformat-xml have to be updated to version 2.13.2 also, as jackson-databind is not downward compatible to older versions of jackson-core.

Attachments

Activity

People

Assignee:: Santiago Aucejo Petzoldt

Reporter:: Santiago Aucejo Petzoldt

Approver:: Divyani Rathore

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 29 March 2022 11:53

Updated:: 07 April 2022 00:41

Resolved:: 30 March 2022 08:39