Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Vulnerable dependency #1378

Closed
LSmyrnaios opened this issue Nov 2, 2022 · 0 comments · Fixed by #1379
Closed

Vulnerable dependency #1378

LSmyrnaios opened this issue Nov 2, 2022 · 0 comments · Fixed by #1379
Labels

Comments

@LSmyrnaios
Copy link

Hi,
Since you do not have a Security policy, I am posting this here.

IntelliJ IDEA reports that minio contains a vulnerable dependency.
The warning is as follows:
_

Provides transitive vulnerable dependency com.fasterxml.jackson.core:jackson-databind:2.13.2.2
CVE-2022-42003 7.5 Deserialization of Untrusted Data vulnerability pending CVSS allocation
CVE-2022-42004 7.5 Deserialization of Untrusted Data vulnerability pending CVSS allocation
Results powered by Checkmarx(c)
_

The Maven Repository reports some vulnerabilities too, even on later versions of that dependency.

Please update the com.fasterxml.jackson.core:jackson-databind dependency to v.2.13.4.2 (or to a later one, at the time of the update) and issue a hotfix release.
You can also enable Github's Dependabot alerts in this and other repositories to get security alerts.

Thank you.

balamurugana added a commit to balamurugana/minio-java that referenced this issue Nov 2, 2022
balamurugana added a commit to balamurugana/minio-java that referenced this issue Nov 2, 2022
harshavardhana pushed a commit that referenced this issue Nov 14, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants