I've recently ran a dependency check on the camel-jackson 2.21.0 and
it appears that the version of jackson being used (2.8.10) has two
High/Severe vulnerabilities.

To fix this for camel-jackson we'll need to upgrade as follows:

CVE-2017-17485 - Jackson 2.9.3 or greater
CVE-2018-7489 - Jackson 2.9.5 or greater

I can see that the parent pom on the mainline has been upgraded to
2.9.4 (as part of spring boot 2 migration), so that covers
CVE-2017-17485 'for free'

More information available here:


Shall I raise a JIRA to address this (possible as two separate tickets
to track both issues?)



Reply via email to