Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Transitive dependency on Jackson 2.8.8 with many known vulnerabilities #698

Open
wborn opened this issue Dec 2, 2022 · 2 comments
Open

Transitive dependency on Jackson 2.8.8 with many known vulnerabilities #698

wborn opened this issue Dec 2, 2022 · 2 comments
Assignees
@andsel
Labels
low-hanging

Comments

@wborn
Copy link

wborn commented Dec 2, 2022
edited

The moquette-broker:0.15 artifact has a transitive dependency through librato-java:2.1.0 on Jackson 2.8.8 which has many known vulnerabilities:

It shows up in IntelliJ IDEA like this:

Screenshot from 2022-12-02 13-39-10

Dependency tree:

Screenshot from 2022-12-02 13-38-08
@wborn wborn mentioned this issue Dec 2, 2022
Open
@hylkevds
Copy link
Collaborator

Librato is no longer maintained. We should move away from it.

@hylkevds
Copy link
Collaborator

That said, given that the Librato-reporter as used only serialises json, and doesn't de-serialise client-generated json, the vulnerabilities can't be triggered.

@andsel andsel self-assigned this Jan 25, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@andsel andsel

Labels
low-hanging
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@andsel @hylkevds @wborn