Vulnerabilities associated with jackson-databind 2.8.11.3

Sunil_Chadha · April 16, 2020, 5:04pm

Hi,

In the Elasticsearch 6.8.4 jackson-databind version 2.8.11.3 used.
This version of Jackson-databind has many high vulnerabilities associated.

CVE-2019-16943
CVE-2018-19360
CVE-2019-14893
CVE-2018-14719
CVE-2019-16335
CVE-2019-14892
CVE-2017-7525
CVE-2018-14718
CVE-2018-19362
CVE-2020-11612
CVE-2019-14540
CVE-2019-17531
CVE-2019-17267
CVE-2018-5382
CVE-2018-14721
CVE-2019-20330
CVE-2020-8840
CVE-2018-19361
CVE-2019-16942
CVE-2019-14379
CVE-2018-14720

How is Jackson-databind used in Elasticsearch, whether these vulnerabilties applies to Elasticsearch 6.8.4 OSS?

I notices that Elasticsearch mater use jackson = 2.10.3.
When is it planned to be released?

Thanks & Regards,

Sunil

system · May 14, 2020, 5:04pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.