2017-12-12 15:29 GMT+01:00 Emi <em...@encs.concordia.ca>: > Hello, >> >> vulnerability exists in a JSON Jackson library and it's registered under >> CVE-2017-7525. > > I think you mean the following jars right? > > (1) jackson-core-2.9.2.jar > (2) jackson-annotations-2.9.0.jar > (3) jackson-databind-2.9.2.jar
I didn't analyse which jars are affected by the CVE but I think you are right and mostly it will be jackson-databind only. >> Please read the bulletin [1] and apply possible >> solutions. This vulnerability impacts anyone using the vulnerable >> Jackson JSON library (not only Struts users). >> >> [1] https://cwiki.apache.org/confluence/display/WW/S2-055 > > So, if do not use the above jars, it should be fine? Yes Regards -- Ćukasz + 48 606 323 122 http://www.lenart.org.pl/ --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
