Vulnerabilities associated with jackson-databind 2.8.11.3

Sunil_Chadha · April 16, 2020, 5:04pm

Hi,

In the Elasticsearch 6.8.4 jackson-databind version 2.8.11.3 used.
This version of Jackson-databind has many high vulnerabilities associated.

CVE-2019-16943
CVE-2018-19360
CVE-2019-14893
CVE-2018-14719
CVE-2019-16335
CVE-2019-14892
CVE-2017-7525
CVE-2018-14718
CVE-2018-19362
CVE-2020-11612
CVE-2019-14540
CVE-2019-17531
CVE-2019-17267
CVE-2018-5382
CVE-2018-14721
CVE-2019-20330
CVE-2020-8840
CVE-2018-19361
CVE-2019-16942
CVE-2019-14379
CVE-2018-14720

How is Jackson-databind used in Elasticsearch, whether these vulnerabilties applies to Elasticsearch 6.8.4 OSS?

I notices that Elasticsearch mater use jackson = 2.10.3.
When is it planned to be released?

Thanks & Regards,

Sunil

system · May 14, 2020, 5:04pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Vulnerability CVE-2020-25649 reported on Elasticsearch 7.17.4 Elasticsearch	3	434	July 11, 2022
Vulnerabilities in latest docker image of Elasticsearch 8.3.1 Elasticsearch docker	2	757	August 16, 2022
Logstash--jackson-databind vulnerabilities for logstash-7.9.0 Logstash	1	344	December 8, 2020
Vulnerability CVE-2020-28491 reported on Elasticsearch 7.17.4 Elasticsearch	3	424	July 11, 2022
Logstash how to solve the problem about jackson-databind CVE-2020-9548 Logstash	1	434	October 20, 2020

Vulnerabilities associated with jackson-databind 2.8.11.3

Related topics