Home > Enterprise >  jackson-databind vulerability fix
jackson-databind vulerability fix

Time:03-29

Did any one updated their application with a fix to the jackson-databind 2.12.6 vulerability error. Its fixed in v 2.13.12.1, but when I update my gradle to refer to this latest library, I get another dependency error, which my gradle isn't able to download it. Please assist if you have any alternatives.

The build error is

FAILURE: Build failed with an exception.

* What went wrong:
Execution failed for task ':compileJava'.
> Could not resolve all files for configuration ':compileClasspath'.
   > Could not resolve com.fasterxml.jackson:jackson-bom:2.13.2.1.
     Required by:
         project : > com.fasterxml.jackson.core:jackson-databind:2.13.2.1
      > Could not resolve com.fasterxml.jackson:jackson-bom:2.13.2.1.
         > Could not get resource 'https://internalreporsitoryhost:8443/repository/maven-jaspersoft-3rd-party-ce/com/fasterxml/jackson/jackson-bom/2.13.2.1/jackson-bom-2.13.2.1.pom'.
            > Could not GET 'https://internalreporsitoryhost:8443/repository/maven-jaspersoft-3rd-party-ce/com/fasterxml/jackson/jackson-bom/2.13.2.1/jackson-bom-2.13.2.1.pom'. Received status code 503 from server: Service Unavailable
   > Could not resolve com.fasterxml.jackson:jackson-bom:2.13.2.1.
     Required by:
         project : > com.fasterxml.jackson.core:jackson-annotations:2.13.2
         project : > com.fasterxml.jackson.core:jackson-core:2.13.2
      > Could not resolve com.fasterxml.jackson:jackson-bom:2.13.2.1.
         > Could not get resource 'https://internalreporsitoryhost:8443/repository/maven-jaspersoft-3rd-party-ce/com/fasterxml/jackson/jackson-bom/2.13.2.1/jackson-bom-2.13.2.1.pom'.
            > Could not GET 'https://internalreporsitoryhost:8443/repository/maven-jaspersoft-3rd-party-ce/com/fasterxml/jackson/jackson-bom/2.13.2.1/jackson-bom-2.13.2.1.pom'. Received status code 503 from server: Service Unavailable

CodePudding user response:

You can use dependency constraints like this:

def jackson_version = '2.13.2'
def jackson_databind_version = '2.13.2.1'

constraints {
    compile("com.fasterxml.jackson:jackson-bom") {
        version {
            strictly jackson_version
        }
        because 'previous versions are vulnerable to CVE-2020-36518'
    }
    compile("com.fasterxml.jackson.core:jackson-databind") {
        version {
            require jackson_databind_version
        }
        because 'previous versions are vulnerable to CVE-2020-36518'
    }
}

See https://docs.gradle.org/current/userguide/rich_versions.html#sec:strict-version for details.

This should force gradle to use the older version of jackson-bom/core and the newer/fixed version of jackson databind.

CodePudding user response:

It seems there is a error with this(2.13.2.1) version https://github.com/FasterXML/jackson-bom/issues/52

Try to use micro patch 2.13.2.20220328(https://github.com/FasterXML/jackson-bom/releases/tag/jackson-bom-2.13.2.20220328)

e.g 'com.fasterxml.jackson:jackson-bom:2.13.2.20220328'

Page link:https//www.codepudding.com/Enterprise/352627.html

Prev:How do i initialise an array of object in constructor in JavaScript
Next:How to identify sentiment for each sentence of paragraph
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding