[
https://issues.apache.org/jira/browse/TIKA-2890?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16953492#comment-16953492
]
Abhijit Rajwade edited comment on TIKA-2890 at 10/17/19 8:21 AM:
-----------------------------------------------------------------
[~hudson]
Jackson version 2.10.0 has a fix for the long standing vulnerability with
global default typing / polymorphic de-serialization.
Refer following links for more info
https://medium.com/@cowtowncoder/jackson-2-10-features-cd880674d8a2
https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.10
Can you please upgrade to Jackson 2.10.0?
was (Author: arajwade):
Jackson version 2.10.0 has a fix for the long standing vulnerability with
global default typing / polymorphic de-serialization.
Refer following links for more info
https://medium.com/@cowtowncoder/jackson-2-10-features-cd880674d8a2
https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.10
Can you please upgrade to Jackson 2.10.0?
> Critical security vulnerability in depedencies
> ----------------------------------------------
>
> Key: TIKA-2890
> URL: https://issues.apache.org/jira/browse/TIKA-2890
> Project: Tika
> Issue Type: Improvement
> Components: parser
> Affects Versions: 1.21
> Reporter: Kyle DuPont
> Priority: Major
> Fix For: 1.23
>
> Original Estimate: 1h
> Remaining Estimate: 1h
>
> The parser dependency jackson-databind:2.9.8 has a critical vulnerability as
> per:
> [https://ossindex.sonatype.org/vuln/5bbadb96-496f-4534-a513-7a6396f54029]
> This should be bumped to >2.9.9 to resolve this vulnerability.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
