Skip to content

Commit

Permalink
Suppress jackson-databind CVE-2018-1000873, won't fix in 2.8.x series
Browse files Browse the repository at this point in the history
Upstream is not fixing this issue in 2.8.x we need to upgrade to at
least >= 2.9.8.
Ref
FasterXML/jackson-modules-java8#90 (comment)

RDM-3796
  • Loading branch information
Dwayne Bailey authored and Dwayne Bailey committed Jan 29, 2019
1 parent e307cdd commit b10abb8
Showing 1 changed file with 5 additions and 2 deletions.
7 changes: 5 additions & 2 deletions dependency-check-suppressions.xml
Original file line number Diff line number Diff line change
Expand Up @@ -124,8 +124,11 @@
<cve>CVE-2018-19362</cve>
</suppress>
<suppress>
<notes>Temporarily suppress jackson-databind CVE see RDM-3796</notes>
<gav regex="true">^com\.fasterxml\.jackson\.core:jackson-databind:.*$</gav>
<notes>jackson-databind 2.8.x will not get a fix for this CVE. We need
to upgrade to 2.9.x. See
https://github.com/FasterXML/jackson-modules-java8/issues/90#issuecomment-450544881
and RDM-3796</notes>
<gav regex="true">^com\.fasterxml\.jackson\.core:jackson-databind:2\.8\.11\.[3].*$</gav>
<cve>CVE-2018-1000873</cve>
</suppress>
<suppress>
Expand Down

0 comments on commit b10abb8

Please # to comment.