FasterXML jackson-databind 代码问题漏洞（CVE-2022-42003） · alibaba/Sentinel#2950

(7 留言) (0 反應) (0 負責人)Java (23,109 star) (8,150 fork)batch import

dependenciesgood first issue

描述

最新sentinel-dashboard1.8.6 中jackson-databind 版本是jackson-databind-2.12.6.1.jar

有处理此漏洞的计划吗？

CVE编号 CVE-2022-42003 披露时间 2022-10-02

修复方案建议受影响客户升级到2.14.0-rc2及以上安全版本，版本获取链接： https://github.com/FasterXML/jackson-databind

技術棧: java
領域: security
議題類型: security
難度: 2
預計時間: half day
活動狀態: needs maintainer response
清晰度: clear
前置要求: JavaMavendependency management
新手友善度: 50
研究方向: The issue is a request to upgrade jackson databind to version 2.14.0 rc2 or higher to fix CVE 2022-42003. The fix involves updating the dependency version in the Sentinel dashboard's pom.xml file (likely in sentinel dashboard/pom.xml). Ensure compatibility with other Jackson dependencies and verify that no breaking changes affect the codebase. Check the existing comments for any maintainer response or blocked status. No linked PRs or assignees are present, so it is available for contribution but requires maintainer confirmation on the desired version and any additional changes.