Vulnerabilities

DepShield reports that this application's usage of com.fasterxml.jackson.core:jackson-databind:2.9.2 results in the following vulnerability(s):

• (CVSS 9.8) [CVE-2018-7489] Incomplete Blacklist, Deserialization of Untrusted Data
• (CVSS 9.8) [CVE-2017-17485] Improper Control of Generation of Code ("Code Injection")
• (CVSS 8.1) [CVE-2018-5968] Incomplete Blacklist, Deserialization of Untrusted Data

Occurrences

com.fasterxml.jackson.core:jackson-databind:2.9.2 is a transitive dependency introduced by the following direct dependency(s):

• org.sonatype.nexus:nexus-plugin-api:3.14.0-04
        └─ com.fasterxml.jackson.core:jackson-databind:2.9.2
        └─ org.sonatype.nexus:nexus-blobstore-api:3.14.0-04
              └─ com.fasterxml.jackson.core:jackson-databind:2.9.2

• org.sonatype.nexus:nexus-repository:3.14.0-04
        └─ org.sonatype.nexus:nexus-orient:3.14.0-04
              └─ com.orientechnologies:orientdb-server:2.2.36
                    └─ com.orientechnologies:orientdb-tools:2.2.36
                          └─ com.fasterxml.jackson.core:jackson-databind:2.9.2
              └─ com.fasterxml.jackson.datatype:jackson-datatype-joda:2.9.2
                    └─ com.fasterxml.jackson.core:jackson-databind:2.9.2
        └─ com.fasterxml.jackson.core:jackson-databind:2.9.2

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

@DarthHater - looks like we get this dep via inheritance from core, think this issue should probably be closed since there's not much this repo can do about it?

Not technically, we can update to Nexus Repo 3.15 (which just went live). That's likely the course of action on these if it's something we get from the parent.