[SET-190] Update Jackson Databind version to >= 2.9.10.3 due to 3rd party vulnerability issues (CVE-2019-20330, CVE-2020-8840) - SOS JIRA

XML

Word

Printable

Details

Type: Fix
Status: Released (View Workflow)
Priority: Minor
Resolution: Fixed
Affects Version/s: 1.13.3
Fix Version/s: 1.13.4
Labels:
None

CVE-ID:
CVE-2019-20330, CVE-2020-8840

Description

Current Situation

Currently JOC Cockpit and JobScheduler use Jackson Databind version 2.9.10.1
A vulnerability affects this version, see https://nvd.nist.gov/vuln/detail/CVE-2019-20330 and https://www.cvedetails.com/cve/CVE-2019-14540/ https://nvd.nist.gov/vuln/detail/CVE-2020-8840

Desired Behavior

Due to a vulnerability Issue of older Jackson releases the JOC Cockpit as well as the JobScheduler should use the current version 2.9.10.3 that fixes the issues.

Attachments

Activity

People

Assignee:: Santiago Aucejo Petzoldt

Reporter:: Santiago Aucejo Petzoldt

Approver:: Kanika Agrawal

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 05 March 2020 08:54

Updated:: 29 July 2020 21:32

Resolved:: 05 March 2020 15:06