Did any one updated their application with a fix to the jackson-databind 2.12.6 vulerability error. Its fixed in v 2.13.12.1, but when I update my gradle to refer to this latest library, I get another dependency error, which my gradle isn't able to download it. Please assist if you have any alternatives.
The build error is
FAILURE: Build failed with an exception. * What went wrong: Execution failed for task ':compileJava'. > Could not resolve all files for configuration ':compileClasspath'. > Could not resolve com.fasterxml.jackson:jackson-bom:2.13.2.1. Required by: project : > com.fasterxml.jackson.core:jackson-databind:2.13.2.1 > Could not resolve com.fasterxml.jackson:jackson-bom:2.13.2.1. > Could not get resource ' > Could not GET ' Received status code 503 from server: Service Unavailable > Could not resolve com.fasterxml.jackson:jackson-bom:2.13.2.1. Required by: project : > com.fasterxml.jackson.core:jackson-annotations:2.13.2 project : > com.fasterxml.jackson.core:jackson-core:2.13.2 > Could not resolve com.fasterxml.jackson:jackson-bom:2.13.2.1. > Could not get resource ' > Could not GET ' Received status code 503 from server: Service Unavailable 2 Answers
You can use dependency constraints like this:
def jackson_version = '2.13.2' def jackson_databind_version = '2.13.2.1' constraints { compile("com.fasterxml.jackson:jackson-bom") { version { strictly jackson_version } because 'previous versions are vulnerable to CVE-2020-36518' } compile("com.fasterxml.jackson.core:jackson-databind") { version { require jackson_databind_version } because 'previous versions are vulnerable to CVE-2020-36518' } } This should force gradle to use the older version of jackson-bom/core and the newer/fixed version of jackson databind.
3It seems there is a error with this(2.13.2.1) version
Try to use micro patch 2.13.2.20220328()
e.g 'com.fasterxml.jackson:jackson-bom:2.13.2.20220328'