FasterXML jackson-databind 代码问题漏洞（CVE-2022-42003） · alibaba/Sentinel#2950

(7 评论) (0 反应) (0 负责人)Java (23,109 star) (8,150 fork)batch import

dependenciesgood first issue

描述

最新sentinel-dashboard1.8.6 中jackson-databind 版本是jackson-databind-2.12.6.1.jar

有处理此漏洞的计划吗？

CVE编号 CVE-2022-42003 披露时间 2022-10-02

修复方案建议受影响客户升级到2.14.0-rc2及以上安全版本，版本获取链接： https://github.com/FasterXML/jackson-databind

技术栈: java
领域: security
议题类型: security
难度: 2
预计时间: half day
活动状态: needs maintainer response
清晰度: clear
前置要求: JavaMavendependency management
新手友好度: 50
研究方向: The issue is a request to upgrade jackson databind to version 2.14.0 rc2 or higher to fix CVE 2022-42003. The fix involves updating the dependency version in the Sentinel dashboard's pom.xml file (likely in sentinel dashboard/pom.xml). Ensure compatibility with other Jackson dependencies and verify that no breaking changes affect the codebase. Check the existing comments for any maintainer response or blocked status. No linked PRs or assignees are present, so it is available for contribution but requires maintainer confirmation on the desired version and any additional changes.