FasterXML jackson-databind 代码问题漏洞（CVE-2022-42003） · alibaba/Sentinel#2950

(7 commenti) (0 reazioni) (0 assegnatari)Java (23.109 star) (8150 fork)batch import

dependenciesgood first issue

Descrizione

最新sentinel-dashboard1.8.6 中jackson-databind 版本是jackson-databind-2.12.6.1.jar

有处理此漏洞的计划吗？

CVE编号 CVE-2022-42003 披露时间 2022-10-02

修复方案建议受影响客户升级到2.14.0-rc2及以上安全版本，版本获取链接： https://github.com/FasterXML/jackson-databind

Tech stack: java
Dominio: security
Tipo issue: security
Difficoltà: 2
Tempo stimato: half day
Stato attività: needs maintainer response
Chiarezza: clear
Prerequisiti: JavaMavendependency management
Adatta ai principianti: 50
Direzione di ricerca: The issue is a request to upgrade jackson databind to version 2.14.0 rc2 or higher to fix CVE 2022-42003. The fix involves updating the dependency version in the Sentinel dashboard's pom.xml file (likely in sentinel dashboard/pom.xml). Ensure compatibility with other Jackson dependencies and verify that no breaking changes affect the codebase. Check the existing comments for any maintainer response or blocked status. No linked PRs or assignees are present, so it is available for contribution but requires maintainer confirmation on the desired version and any additional changes.