vulnerability CVE-2020-25649 is reported on the jackson-databind-2.10.4.jar library of the ingest-geoip module of Elasticsearch (modules/ingest-geoip/jackson-databind-2.10.4.jar).
Are there any official statements regarding if this vulnerability does indeed apply to Elasticsearch 7.17.4, or any plan to upgrade jackson-databind to a version that does not have the vulnerability ?
If not, is there any way that I can help upgrading this dependency to a higher version ?
Thanks for your help on this.
Thank you for your report.
Elastic's security reporting guidelines are available at Security issues | Elastic.
Per those guidelines, all reports of potential security issues or vulnerabilities should be sent via email to email@example.com.
We are unable to discuss potential issues of this nature here. Please send your report to the email address above, where it can be appropriately handled.
email sent, thank you @ikakavas.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.