Issues
- Update the dependency of jackson-databind due to security vulnerability.WCARAV-25Resolved issue: WCARAV-25
- CLONE - Clientlibs UI Extension | JS and CSS scripts are included multiple timesWCARAV-24Resolved issue: WCARAV-24
- Clientlibs UI Extension | JS and CSS scripts are included multiple timesWCARAV-23Resolved issue: WCARAV-23
- ADD access to request configWCARAV-22Resolved issue: WCARAV-22Stefan Seifert
- Add HttpClient configuration for Cookie HandlingWCARAV-21Resolved issue: WCARAV-21Stefan Seifert
- <project.build.outputTimestamp>${timestamp}</project.build.outputTimestamp> throws error after upgrading to io.wcm.maven.aem-global-parent to 1.5.8WCARAV-19Resolved issue: WCARAV-19
- Unable to get Content Fragment value in the form of an ObjectWCARAV-17
- Support for Connection Request TimeoutWCARAV-15Resolved issue: WCARAV-15Stefan Seifert
- HttpClientFactory should return a CloseableHttpClientWCARAV-14Resolved issue: WCARAV-14Stefan Seifert
- Sling-Initial-Content i18n mode "merge"WCARAV-12Resolved issue: WCARAV-12
- caravan jax-ws releaseWCARAV-11Resolved issue: WCARAV-11
- caravan jaxrs releaseWCARAV-10Resolved issue: WCARAV-10
- jaxrs.publisher dependencyWCARAV-9Resolved issue: WCARAV-9Stefan Seifert
- Uses constraint violation javax.annotationWCARAV-8Resolved issue: WCARAV-8
- Interesting issue when updating SSL certificates in AEMWCARAV-7Resolved issue: WCARAV-7Stefan Seifert
- Add sample project that demonstrates AEM integration for Caravan JAX-RSWCARAV-6Resolved issue: WCARAV-6
- wrong encoding of quotation-marksWCARAV-5Resolved issue: WCARAV-5
- Add support for keyStore/trustStore AliasWCARAV-4Resolved issue: WCARAV-4
- To Load a PKCS12 Keystore a explicit providers has to be usedWCARAV-3Resolved issue: WCARAV-3
- At the moment the httpConfigItem to URL matching only looks at the hostnameWCARAV-2Resolved issue: WCARAV-2
- Comons HTTP Client: Split up in HTTP Client and HTTP Async ClientWCARAV-1Resolved issue: WCARAV-1
21 of 21
Update the dependency of jackson-databind due to security vulnerability.
Done
Description
Attachments
1
Details
Details
Created June 20, 2022 at 8:31 AM
Updated June 30, 2022 at 1:12 PM
Resolved June 30, 2022 at 1:12 PM
Activity
Show:
Rituraj SinghJune 30, 2022 at 12:58 PM
Hi Stefan,
Thank you for the input, yes we will handle it on our platform level, so you can close the ticket.
Thanks,
Rituraj Singh
Stefan SeifertJune 21, 2022 at 9:06 AMEdited
thanks for reaching out - to which of the caravan modules are you referring to with this ticket? https://caravan.wcm.io/
wcm.io caravan is a set of modular OSGi-based libraries. the dependencies that are defined in the Maven POM define, against which interface (OSGi package version) we compile against. we do not ship with this dependencies, this is fully controlled by the OSGi container our modules are deployed to.
it’s OSGi best practice to compile against the lowest-possible version that is minimum required. usually that is not the version that is actually used in the OSGi container.
Please refer to the screenshot attached.
Can you please update the dependency of com.fasterxml.jackson.core » jackson-databind as it has one direct vulnerability
Direct vulnerabilities:
CVE-2020-36518 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36518
Currently the latest version is using
<dependency>
<groupId>com.fasterxml.jackson.core</groupId>
<artifactId>jackson-core</artifactId>
<version>2.11.4</version>
</dependency>
Version 2.13 onwards for the above is safe.