[FP]: jackson-databind for CVE-2017-7525

Question

[FP]: jackson-databind for CVE-2017-7525

githubuserVenkat opened this issue 3 months ago · comments

githubuserVenkat commented 3 months ago

Package URl

pkg:maven/org.codehaus.jackson/jackson-mapper-asl@1.9.13

CPE

cpe:2.3:a:fasterxml:jackson-mapper-asl:1.9.13:::::::*

CVE

CVE-2017-7525

ODC Integration

None

ODC Version

9.0.9

Description

Actual vulnerable component is jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9

github-actions · Answer 1 · Mon Feb 19 2024 16:13:25 GMT+0800 (China Standard Time)

Maven Coordinates

<dependency>
   <groupId>org.codehaus.jackson</groupId>
   <artifactId>jackson-mapper-asl</artifactId>
   <version>1.9.13</version>
</dependency>

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #6476
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/org\.codehaus\.jackson/jackson-mapper-asl@.*$</packageUrl>
   <cpe>cpe:/a:fasterxml:jackson-mapper-asl</cpe>
</suppress>

Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/7956434408

Hans Aikema · Answer 2 · Fri Feb 23 2024 02:49:28 GMT+0800 (China Standard Time)

https://mvnrepository.com/artifact/org.codehaus.jackson/jackson-mapper-asl

jackson-mapper-asl was moved to jackson-databind