Remediate new vulnerabilities with jackson-databind
sasikumar-ms7 opened this issue · comments
sasikumar-ms7 commented
There is new vulnerability CVE-2022-42003 with the jackson-databind version used by logstash-logback-encoder. Please upgrade the jackson version to [2.14.0-rc1]
Bertrand Renuart commented
Thanks for reporting.
This vulnerability affects Jackson when it is used to read JSON data and map it to POJO.
LLE uses Jackson to produce JSON and is therefore not affected by this CVE.
Anyway, the dependency will be upgrade to 2.14.0 when it is released.
sasikumar-ms7 commented
jackson-databind 2.14.x is released. Do you have any timelines to upgrade the latest dependency?