question

Phyllis9811 avatar image
Phyllis9811 asked Erick Ramirez answered

jackson-databind 2.7.9.3 in Java driver 3.11 has 47 vulnerabilities

Hello, I just found out that currently cassandra-driver-core:3.11.0 uses jackson-databind:2.7.9.3, which has 47 vulnerabilities (https://mvnrepository.com/artifact/com.fasterxml.jackson.core/jackson-databind/2.7.9.3). I understand that jackson-databind is not used extensively in the implementation, but I am wondering if cassandra-driver-core will be safe to use given the vulnerabilities and whether we should upgrade jackson-databind to the newer version.

java drivercve
10 |1000

Up to 8 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.

1 Answer

Erick Ramirez avatar image
Erick Ramirez answered

The jackson-databind package has been updated to version 2.10.0 in Java driver 4.3 and version 2.12.0 in Java driver 4.10.

I fully understand that it isn't possible to just upgrade to a newer version of the Java driver since the 4.x versions are not binary-compatible with the 3.11 versions of the driver.

I am not aware of newer versions of jackson-databind being tested with 3.11 versions of the driver so if your tests prove to be successful, it would be great if you could log a Jira with the details so it could be reviewed by the driver developers. Cheers!

Share
10 |1000

Up to 8 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.