Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
CVE-2020-25649 - related to com.fasterxml.jackson.core:jackson-databind inspring-cloud-cloudfoundry-connector-2.0.7.RELEASE.jar
See original GitHub issueHello,
At least one CVE (CVE-2020-25649) is brought up with com.fasterxml.jackson.core:jackson-databind version 2.10.0 included in spring-cloud-cloudfoundry-connector-2.0.7.RELEASE. The corrections were fixed in version 2.10.5.1 and later.
Here the log of a DependencyCheck execution
spring-cloud-cloudfoundry-connector-2.0.7.RELEASE.jar\META-INF/maven/com.fasterxml.jackson.core/jackson-databind/pom.xml (pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.10.0, cpe:2.3:a:fasterxml:jackson-databind:2.10.0:*:*:
*:*:*:*:*, cpe:2.3:a:fasterxml:jackson-modules-java8:2.10.0:*:*:*:*:*:*:*) : CVE-2020-25649
Could the version be updated in a quick upcoming fix? or is migrating to the newer Java CFEnv the only way to fix this?
Thank you,
Alex
Issue Analytics
- State:
- Created 2 years ago
- Reactions:2
- Comments:7
Top Results From Across the Web
com.fasterxml.jackson.core:jackson-databind | CVE-2020-25649
Elasticsearch Version docker.elastic.co/elasticsearch/elasticsearch:7.17.5-amd64 Installed Plugins No response Java Version bundled OS ...
Read more >com.fasterxml.jackson.core:jackson-databind vulnerabilities
version published direct vulnerabilities
2.14.1 21 Nov, 2022 0. C. 0. H. 0. M. 0. L
2.14.0 5 Nov, 2022 0. C. 0. H. 0....
Read more >CVE-2020-25649: jackson-databind - Broadcom support portal
Code scans have revealed a new vulnerability in Introscope 10.7.0.309: CVE-2020-25649 related to jackson-databind.
Read more >Fasterxml Jackson-databind : List of security vulnerabilities
# CVE ID CWE ID Publish Date Update Date Score Gained Access Level Access
1 CVE‑2022‑42004 502 2022‑10‑02 2022‑12‑02 0.0 None ???
2 CVE‑2022‑42003 502...
Read more >com.fasterxml.jackson.core » jackson-databind » 2.9.10.7
General data-binding functionality for Jackson: works on core streaming API ... HomePage, http://github.com/FasterXML/jackson ... New Version, 2.14.1 ...
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Migrating to Java CFEnv is definitely the recommendation. While Spring Cloud Connectors is in maintenance mode we will continue to address critical security issues, but this library is vulnerable to these kinds of Jackson issues and an update can’t always be quick. Java CFEnv doesn’t suffer from this problem.
I’ll research this CVE to see of Connectors is vulnerable and publish a release if necessary.
Please see the analysis provided in the comment above.
The best way to mitigate this type of problem is to replace the usage of Spring Cloud Connectors with Java CFEnv, since the latter does not shade the Jackson dependencies.