Upgrade Jackson Databind to resolve security issues

Description

A security scan has shown that the 4.9.0 driver has a vulnerable version of Jackson Databind in its dependencies(version 2.9.10.5). This is likely due to the Java driver depending on version 3.4.8 of Tinkerpop, which was recently (August 2020) released and updated its dependency to 2.9.10.5 of Databind. This ticket is mostly a repeat of JAVA-2859, where we likely have to get Tinkerpop to upgdate Databind and release, then update the driver to use the new Tinkerpop version.

Environment

None

Pull Requests

None

Activity

Show:
Alexandre Dutra
November 26, 2020, 11:24 AM

CVE seems to be CVE-2020-24750.

Alexandre Dutra
November 26, 2020, 5:29 PM

Jackson Databind in the driver is already 2.11.0. This is issue is really only around upgrading TinkerPop.

Brendan Cicchi
December 11, 2020, 6:01 PM
Edited

TINKERPOP-2401 shows that the Jackson version was bumped in the 3.4.9 and 3.5.0 releases of tinkerpop.

Alexandre Dutra
January 5, 2021, 10:20 AM

Jackson has been upgraded to 2.12.0 and Tinkerpop to 3.4.9. To be released in 4.10.

Fixed

Assignee

Alexandre Dutra

Reporter

Erik Merkle

Labels

None

PM Priority

None

Affects versions

Fix versions

Pull Request

None

Doc Impact

None

Size

None

External issue ID

None

External issue ID

None

Priority

Major
Configure