This is a dependency of Swagger Jersey Jaxrs library. We do not use Jackson directly and do not use createBeanDeserializer() function which has the vulnerability. To our knowledge we cannot find any reference of swagger jersey using this.
| Repository | Group | Artifact | Version | Problem Code | Impact Analysis | Action |
|---|---|---|---|---|---|---|
| music | org.codehaus.jackson | jackson-mapper-asl | 1.9.2 | CVE-2017-7525 | This is a dependency by the core library for our RESTful service(jersey-json) and our cassandra-unit library. We do not use Jackson directly and do not use createBeanDeserializer() function which has the vulnerability. We were unable to find any reference to this Vulnerability from jersey-json or cassandra-unit. | |
| music | com.fasterxml.jackson.core | jackson-databind | 2.9.4 | CVE-2018-7489 | This is a dependency of Swagger Jersey Jaxrs library. We do not use Jackson directly and do not use createBeanDeserializer() function which has the vulnerability. To our knowledge we cannot find any reference of swagger jersey using this. | |
| music | org.apache.zookeeper | zookeeper | 3.4.11 | SONATYPE-2018-0469 | This is no longer a problem in the latest version of MUSIC. This shows up in the music jar which is still being used by Portal based on an older version. We have raised an issue with the team asking them to move to the latest version. | |
| music | com.google.guava | guava | 19.0 | CVE-2018-10237 | This is no longer a problem in the latest version of MUSIC. This shows up in the music jar which is still being used by Portal based on an older version. We have raised an issue with the team asking them to move to the latest version. | |
| music | io.netty | netty-handler | 4.0.56.Final | SONATYPE-2017-0356 | This is no longer a problem in the latest version of MUSIC. This shows up in the music jar which is still being used by Portal based on an older version. We have raised an issue with the team asking them to move to the latest version. |