Details
-
Type:
Bug
-
Status: Open (View Workflow)
-
Priority:
Critical
-
Resolution: Unresolved
-
Component/s: java-client-api
-
Labels:
-
Similar Issues:
Description
Update jackson-databind from 2.9.9 to 2.9.9.3
This is to address four separate CVEs, two of which are critical:
- CVE-2019-14379 (9.8)
- CVE-2019-14439 (7.5)
- CVE-2019-12384 (5.9)
- CVE-2019-12814 (5.9)
As java-client-api uses three separate jackson modules, I suggest addressing problem by using jackson-bom POM import (2.9.9.20190807) in dependencyManagement.
Submitted pull request: https://github.com/jenkinsci/java-client-api/pull/427