[jira] [Updated] (CASSANDRA-16462) Upgrade to Jackson Databind 2.9.10.8 or later fix high vulnerabilities

Thu, 04 Mar 2021 06:16:40 -0800 


     [ 
https://issues.apache.org/jira/browse/CASSANDRA-16462?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Brandon Williams updated CASSANDRA-16462:
-----------------------------------------
    Status: Review In Progress  (was: Patch Available)

> Upgrade to Jackson Databind 2.9.10.8 or later fix high vulnerabilities 
> -----------------------------------------------------------------------
>
>                 Key: CASSANDRA-16462
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-16462
>             Project: Cassandra
>          Issue Type: Improvement
>          Components: Dependencies
>            Reporter: Bhargav Joshi
>            Assignee: Brandon Williams
>            Priority: Normal
>             Fix For: 3.11.x, 4.0-rc
>
>
> There are 22 high CVEs
> CVE ID | Severity | Packages | Source Package | Fixed Package Version
> -- | -- | -- | -- | --
> CVE-2020-24750 | high | com.fasterxml.jackson.core_jackson-databind | 
> 2.9.10.4 | fixed in 2.9.10.6
> CVE-2020-24616 | high | com.fasterxml.jackson.core_jackson-databind | 
> 2.9.10.4 | fixed in 2.9.10.6
> CVE-2020-14195 | high | com.fasterxml.jackson.core_jackson-databind | 
> 2.9.10.4 | fixed in 2.9.10.5
> CVE-2020-14062 | high | com.fasterxml.jackson.core_jackson-databind | 
> 2.9.10.4 | fixed in 2.9.10.5
> CVE-2020-14061 | high | com.fasterxml.jackson.core_jackson-databind | 
> 2.9.10.4 | fixed in 2.9.10.5
> CVE-2020-14060 | high | com.fasterxml.jackson.core_jackson-databind | 
> 2.9.10.4 | fixed in 2.9.10.5
> CVE-2020-35491 | high | com.fasterxml.jackson.core_jackson-databind | 
> 2.9.10.4 | fixed in 2.9.10.8
> CVE-2020-35490 | high | com.fasterxml.jackson.core_jackson-databind | 
> 2.9.10.4 | fixed in 2.9.10.8
> CVE-2020-35728 | high | com.fasterxml.jackson.core_jackson-databind | 
> 2.9.10.4 | fixed in 2.9.10.8
> CVE-2021-20190 | high | com.fasterxml.jackson.core_jackson-databind | 
> 2.9.10.4 | fixed in 2.9.10.7
> CVE-2020-25649 | high | com.fasterxml.jackson.core_jackson-databind | 
> 2.9.10.4 | fixed in 2.10.5.1, 2.9.10.7, 2.6.7.4
> CVE-2020-36187 | high | com.fasterxml.jackson.core_jackson-databind | 
> 2.9.10.4 | fixed in 2.9.10.8
> CVE-2020-36188 | high | com.fasterxml.jackson.core_jackson-databind | 
> 2.9.10.4 | fixed in 2.9.10.8
> CVE-2020-36189 | high | com.fasterxml.jackson.core_jackson-databind | 
> 2.9.10.4 | fixed in 2.9.10.8
> CVE-2020-36186 | high | com.fasterxml.jackson.core_jackson-databind | 
> 2.9.10.4 | fixed in 2.9.10.8
> CVE-2020-36185 | high | com.fasterxml.jackson.core_jackson-databind | 
> 2.9.10.4 | fixed in 2.9.10.8
> CVE-2020-36183 | high | com.fasterxml.jackson.core_jackson-databind | 
> 2.9.10.4 | fixed in 2.9.10.8
> CVE-2020-36184 | high | com.fasterxml.jackson.core_jackson-databind | 
> 2.9.10.4 | fixed in 2.9.10.8
> CVE-2020-36182 | high | com.fasterxml.jackson.core_jackson-databind | 
> 2.9.10.4 | fixed in 2.9.10.8
> CVE-2020-36179 | high | com.fasterxml.jackson.core_jackson-databind | 
> 2.9.10.4 | fixed in 2.9.10.8
> CVE-2020-36180 | high | com.fasterxml.jackson.core_jackson-databind | 
> 2.9.10.4 | fixed in 2.9.10.8
> CVE-2020-36181 | high | com.fasterxml.jackson.core_jackson-databind | 
> 2.9.10.4 | fixed in 2.9.10.8



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to