Hello, I just found out that currently cassandra-driver-core:3.11.0 uses jackson-databind:2.7.9.3, which has 47 vulnerabilities (https://mvnrepository.com/artifact/com.fasterxml.jackson.core/jackson-databind/2.7.9.3). I understand that jackson-databind is not used extensively in the implementation, but I am wondering if cassandra-driver-core will be safe to use given the vulnerabilities and whether we should upgrade jackson-databind to the newer version.
The jackson-databind package has been updated to version 2.10.0 in Java driver 4.3 and version 2.12.0 in Java driver 4.10.
I fully understand that it isn't possible to just upgrade to a newer version of the Java driver since the 4.x versions are not binary-compatible with the 3.11 versions of the driver.
I am not aware of newer versions of jackson-databind being tested with 3.11 versions of the driver so if your tests prove to be successful, it would be great if you could log a Jira with the details so it could be reviewed by the driver developers. Cheers!
7 People are following this question.
