Just unzipped TomEE 8.0.1 Plus, and it has jackson-databind-2.10.0.jar in it. The CVE shows versions up to 2.9.10.2 being affected. I haven't dug into it any further - but to me, it looks like this isn't affected. Do you agree?
Jon On Wed, Mar 11, 2020 at 10:59 AM Jonathan Gallimore < [email protected]> wrote: > I'll apply the fix today, but please note that getting a release out > depends on the Java EE API vote I just bumped on the dev@ list here this > morning. > > Jon > > On Wed, Mar 11, 2020 at 10:26 AM dkwakkel <[email protected]> wrote: > >> >> FasterXML jackson-databind 2.0.0 through 2.9.10.2 lacks certain >> xbean-reflect/JNDI blocking, as demonstrated by >> org.apache.xbean.propertyeditor.JndiConverter. >> >> 8.0.1 ships jackson-databind-2.10.0.jar and xbean-reflect-4.14.jar >> >> CVE score is 9.8, so can we expect soon TomEE 8.0.2 with this fix in it? >> >> >> >> -- >> Sent from: >> http://tomee-openejb.979440.n4.nabble.com/TomEE-Dev-f982480.html >> >
