vulnerability CVE-2020-25649 is reported on the jackson-databind-2.10.4.jar library of the ingest-geoip module of Elasticsearch (modules/ingest-geoip/jackson-databind-2.10.4.jar).
Are there any official statements regarding if this vulnerability does indeed apply to Elasticsearch 7.17.4, or any plan to upgrade jackson-databind to a version that does not have the vulnerability ?
If not, is there any way that I can help upgrading this dependency to a higher version ?
Per those guidelines, all reports of potential security issues or vulnerabilities should be sent via email to security@elastic.co.
We are unable to discuss potential issues of this nature here. Please send your report to the email address above, where it can be appropriately handled.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.