Hello, snyk.io are reporting this DoS vulnerability for jackson-dataformat-cbor versions [0,2.11.4) || [2.12.0-rc1,2.12.1). https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONDATAFORMAT-1047329 This vulnerability still exist on the latest Dropwizard release (v2.0.20), since the Jackson version used is "2.10.5.20201202" which is dependant on jackson-bom tag "jackson-bom-2.10.5.20201202" which reference this vulnerable cbor version. This is fixed on version 2.11.4 and up or 2.12.1 and up. Version 2.12.2 is on Dropwizard master for 2 months, but I don't know why it was not released on any Dropwizard release since.
Would you be able to tell if we have a roadmap for jackson upgrade soon? Thanks, Uziel -- You received this message because you are subscribed to the Google Groups "dropwizard-user" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/dropwizard-user/62f57063-cbd0-4eaf-a359-8eca75f0c1a4n%40googlegroups.com.
