jackson-databind vulerability fix

Did any one updated their application with a fix to the jackson-databind 2.12.6 vulerability error. Its fixed in v 2.13.12.1, but when I update my gradle to refer to this latest library, I get another dependency error, which my gradle isn't able to download it. Please assist if you have any alternatives.

The build error is

FAILURE: Build failed with an exception. * What went wrong: Execution failed for task ':compileJava'. > Could not resolve all files for configuration ':compileClasspath'. > Could not resolve com.fasterxml.jackson:jackson-bom:2.13.2.1. Required by: project : > com.fasterxml.jackson.core:jackson-databind:2.13.2.1 > Could not resolve com.fasterxml.jackson:jackson-bom:2.13.2.1. > Could not get resource ' > Could not GET ' Received status code 503 from server: Service Unavailable > Could not resolve com.fasterxml.jackson:jackson-bom:2.13.2.1. Required by: project : > com.fasterxml.jackson.core:jackson-annotations:2.13.2 project : > com.fasterxml.jackson.core:jackson-core:2.13.2 > Could not resolve com.fasterxml.jackson:jackson-bom:2.13.2.1. > Could not get resource ' > Could not GET ' Received status code 503 from server: Service Unavailable 

2 Answers

You can use dependency constraints like this:

def jackson_version = '2.13.2' def jackson_databind_version = '2.13.2.1' constraints { compile("com.fasterxml.jackson:jackson-bom") { version { strictly jackson_version } because 'previous versions are vulnerable to CVE-2020-36518' } compile("com.fasterxml.jackson.core:jackson-databind") { version { require jackson_databind_version } because 'previous versions are vulnerable to CVE-2020-36518' } } 

See for details.

This should force gradle to use the older version of jackson-bom/core and the newer/fixed version of jackson databind.

3

It seems there is a error with this(2.13.2.1) version

Try to use micro patch 2.13.2.20220328()

e.g 'com.fasterxml.jackson:jackson-bom:2.13.2.20220328'

Your Answer

Sign up or log in

Sign up using Google Sign up using Facebook Sign up using Email and Password

Post as a guest

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge that you have read and understand our privacy policy and code of conduct.

You Might Also Like