CVE-2018-1000873 via Jackson 2.8.11 in Spring 4 [SPR-17656] #22185
Assignees
Labels
status: invalid
An issue that we don't feel is valid
Comments
spring-projects-issues
added
status: waiting-for-triage
bclozel
added
status: invalid
|
Closing this issue as this was addressed in spring-projects/spring-boot#15664 |
# for free
to join this conversation on GitHub.
Already have an account?
# to comment
GFriedrich opened SPR-17656 and commented
Hi,
I just got aware of the CVE-2018-1000873. Unfortunately it affects all versions of Jackson < 2.9.8.
As far as I can see, Spring 4 uses version 2.8.11 as optional dependency. So I guess it would be safe to update the version without breaking Spring. Is my assumption correct?
If so: Are you planning to update the Jackson version for the Spring 4.x branch and create a release?
Thanks in advance for any info.
Affects: 4.3.22
The text was updated successfully, but these errors were encountered: