Hi Denys That's right. jackson-databind version 2.16.1 does not have any CVEs. I also saw that there was HIVE ticket to update to this version. [HIVE-28073] Upgrade jackson version to 2.16.1 - ASF JIRA (apache.org)<https://issues.apache.org/jira/browse/HIVE-28073> . The ticket also mentions this was fixed in Hive 4.0.0.
But the docker image, that I downloaded from dockerhub - apache/hive Tags | Docker Hub<https://hub.docker.com/r/apache/hive/tags> shows that there are two old versions of the package in use within the image. (2.4.0 and 2.9.4) [cid:4312c910-a81a-48cb-ab63-556c3541d39e] Thanks Regards Sreek ________________________________ From: Denys Kuzmenko <dkuzme...@apache.org> Sent: Wednesday, June 19, 2024 6:06 PM To: dev@hive.apache.org <dev@hive.apache.org> Subject: Re: apache/hive security vulnerabilities. Caution: This is an external email. Verify any links or attachments before opening. Hi, Hive-4.0 use jackson-databind version 2.16.1. I don't see any CVEs reported in maven central for that artifact: https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmvnrepository.com%2Fartifact%2Fcom.fasterxml.jackson.core%2Fjackson-databind%2F2.16.1&data=05%7C02%7CSreekanth.Iyer%40verint.com%7C16e6ff111de249dc900408dc905c9ecf%7Cbb2ed304409949cfb081cbb7a3a580ca%7C0%7C0%7C638543974683935188%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=B8vz0jyrFgtlzJ81yq4QbMz29Kkovl%2BFh%2BS0blplAOk%3D&reserved=0<https://mvnrepository.com/artifact/com.fasterxml.jackson.core/jackson-databind/2.16.1> <dependency> <groupId>com.fasterxml.jackson</groupId> <artifactId>jackson-bom</artifactId> <version>2.16.1</version> <type>pom</type> <scope>import</scope> </dependency> This electronic message may contain proprietary and confidential information of Verint Systems Inc., its affiliates and/or subsidiaries. The information is intended to be for the use of the individual(s) or entity(ies) named above. If you are not the intended recipient (or authorized to receive this e-mail for the intended recipient), you may not use, copy, disclose or distribute to anyone this message or any information contained in this message. If you have received this electronic message in error, please notify us by replying to this e-mail.