Scim2 is useind jackson-databind with some security issues
ShaManHFel opened this issue · comments
Describe the bug
There were some security fixes in jackson-databind put in version 2.9.9.1 through 2.9.9.3. Please upgrade to 2.9.9.3
Additional context
An excerpt from the jackson-databind changelog:
2.9.9.3 (06-Aug-2019)
#2395: NullPointerException
from ResolvedRecursiveType
(regression due to fix for #2331)
(reported by Michael S)
2.9.9.2 (27-Jul-2019)
#2331: JsonMappingException
through nested getter with generic wildcard return type
#2387: Block yet another deserialization gadget (CVE-2019-14379)
#2389: Block yet another deserialization gadget (CVE-2019-14439)
(reported by xiexq)
2.9.9.1 (03-Jul-2019)
#2334: Block one more gadget type (CVE-2019-12384)
#2341: Block one more gadget type (CVE-2019-12814)
#2374: ObjectMapper. getRegisteredModuleIds()
throws NPE if no modules registered
(reported by Edgar A)
Release 2.3.1 will include jackson-databind 2.9.9.3.