580781 – CVE-2020-36518 in Jackson 2.13.2 - must be updated to at least 2.13.3

Bug 580781 - CVE-2020-36518 in Jackson 2.13.2 - must be updated to at least 2.13.3

Summary: CVE-2020-36518 in Jackson 2.13.2 - must be updated to at least 2.13.3

Status:	NEW

Alias:	None

Product:	Orbit
Classification:	Tools
Component:	bundles (show other bugs)
Version:	unspecified
Hardware:	PC Windows 10

Importance:	P3 normal (vote)
Target Milestone:	---
Assignee:	Orbit Bundles
QA Contact:

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2022-09-21 18:18 EDT by Joseph Benken
Modified:	2023-04-03 12:53 EDT (History)
CC List:	1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Joseph Benken

2022-09-21 18:18:48 EDT

Eclipse Orbit includes bundles from Jackson 2.13.2 which are vulnerable to CVE-2020-36518.  Eclipse Orbit should be updated to include at least 2.13.3.  As of this writing, the current release is 2.13.4.

references:
https://nvd.nist.gov/vuln/detail/CVE-2020-36518
https://github.com/FasterXML/jackson-databind/issues/2816

Comment 1 Jonah Graham

2023-04-03 12:53:42 EDT

The Eclipse Orbit project is now on GitHub at https://github.com/eclipse/orbit

If this issue is still relevant, please create an issue (and PR :-) on GitHub.

This notice is only going to the 17 bugzilla's that have been changed in the last ~18 months or so to avoid inundating everyone's inbox with long out of date issues. Please see https://bugs.eclipse.org/bugs/buglist.cgi?product=Orbit&query_format=advanced&resolution=--- for all the unresolved Orbit bugs