ReadonlyREST Community

Update of jackson-databind-2.9.6.jar

Sinedko (Sinedko) November 2, 2020, 2:58pm 1

Hello all,

Can you please update the library jackson-databind-2.9.6.jar to better version in your future releases ?

It comming in the scanners with Vulnerability Jackson RCE (CVE-2019-14361, CVE-2019-14439)

https://nvd.nist.gov/vuln/detail/CVE-2019-14439

Atleast in aquasec scan and aswell security scan in clouds.

Thank you.

Regards,
Denis.

coutoPL (Mateusz Kołodziejczyk) November 2, 2020, 7:04pm 2

Hi @Sinedko. We have done it in current sprint. It’ll be released together with ROR 1.25.0.

But you can test the pre-build if you wish:

https://readonlyrest-data.s3.amazonaws.com/build/1.25.0-pre6/readonlyrest-1.25.0-pre6_es7.7.1.zip?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIA5SJIWBO54AGBERLX/20201102/eu-west-1/s3/aws4_request&X-Amz-Date=20201102T190308Z&X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Signature=700b283d7c6ca8367e4d71d30588a03842d3167cd9aac8d7dad4973d51ff407a

1 Like

Sinedko (Sinedko) November 3, 2020, 12:43pm 3

Thank you very much for your fast reply, i tested this pre-build and its passing in scans, so it helped.

Will dowload the new version when available.

1 Like