[ https://issues.apache.org/jira/browse/TOMEE-4227?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17784919#comment-17784919 ]
RAJU THANNEERU commented on TOMEE-4227: --------------------------------------- Hi [~rzo1], Jackson 2.15.2 is also vulnerable. See below link, [https://nvd.nist.gov/vuln/detail/CVE-2023-35116] We need to upgrade to 2.15.3 to solve this CVE. > Jackson 2.15.2 > -------------- > > Key: TOMEE-4227 > URL: https://issues.apache.org/jira/browse/TOMEE-4227 > Project: TomEE > Issue Type: Dependency upgrade > Components: TomEE Core Server > Affects Versions: 8.0.15, 9.1.0 > Reporter: Nikhil > Assignee: Richard Zowalla > Priority: Major > Labels: cve > Fix For: 10.0.0, 8.0.16, 9.1.1 > > > h1. Vulnerability Details > h2. CVE-2023-35116 > {*}Summary{*}: An issue was discovered jackson-databind thru 2.15.2 allows > attackers to cause a denial of service or other unspecified impacts via > crafted object that uses cyclic dependencies. NOTE: the vendor's perspective > is that the product is not intended for use with untrusted input. -- This message was sent by Atlassian Jira (v8.20.10#820010)