Vulnerability CVE-2020-25649 reported on Elasticsearch 7.17.4

Hello,

vulnerability CVE-2020-25649 is reported on the jackson-databind-2.10.4.jar library of the ingest-geoip module of Elasticsearch (modules/ingest-geoip/jackson-databind-2.10.4.jar).

Are there any official statements regarding if this vulnerability does indeed apply to Elasticsearch 7.17.4, or any plan to upgrade jackson-databind to a version that does not have the vulnerability ?

If not, is there any way that I can help upgrading this dependency to a higher version ?

Thanks for your help on this.

Thank you for your report.

Elastic's security reporting guidelines are available at Security issues | Elastic.

Per those guidelines, all reports of potential security issues or vulnerabilities should be sent via email to security@elastic.co.

We are unable to discuss potential issues of this nature here. Please send your report to the email address above, where it can be appropriately handled.

email sent, thank you @ikakavas.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.