Issues with public CVEs (Security vuln report) #1799
Comments
|
This issue is invalid. These are provided-scope dependencies. The version referenced in the POM is not (necessarily) the version used at runtime. Note that we do scan for reported vulnerabilities in embedded (compile-scope) dependencies. |
|
@justinedelson It does not make sense to me that POMs refer to old versions which has security threats. It's not always safe to assume that runtime version will be different. Is there any issue if we change dependency to latest version? @kaushalmall Can you help here? Microsoft team has concerns with CVEs report and been pushing on to fix it. |
|
@vivekm2017 those are the versions available in AEM 6.3 (or at least should be -- an interesting enhancement to #1797 could be to detect the cases where the lower bound can be raised). So changing the versions would break compatibility with AEM 6.3. |
Required Information
Component governance has reported 5 issues with POM dependency on com.fasterxml.jackson.core:jackson-databind:
"FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct server-side request forgery (SSRF) attacks by leveraging failure to block the axis2-jaxws class from polymorphic deserialization."
Expected Behavior
Upgrade dependency for com.fasterxml.jackson.core to version 2.9.8 in bundle POM.
Actual Behavior
com.fasterxml.jackson.core version 2.8.4 is included.
Steps to Reproduce
Run the component compliance CVE on any project using ACS AEM commons 4.0.0 as dependency.
Links
[1] FasterXML/jackson-databind#2097
The text was updated successfully, but these errors were encountered: