[
https://issues.apache.org/jira/browse/TINKERPOP-2016?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16568307#comment-16568307
]
ASF GitHub Bot commented on TINKERPOP-2016:
-------------------------------------------
Github user FlorianHockmann commented on the issue:
https://github.com/apache/tinkerpop/pull/904
I just searched whether the library would also be used somewhere else and
found it [in
`spark-gremlin`](https://github.com/apache/tinkerpop/blob/tp32/spark-gremlin/pom.xml#L211):
```
<dependency>
<groupId>com.fasterxml.jackson.core</groupId>
<artifactId>jackson-databind</artifactId>
<version>2.4.4</version>
</dependency>
```
Shouldn't that also be updated or is there a reason why we have to use that
specific version there?
> Upgrade Jackson FasterXML to 2.9.5 or later to fix security vulnerability
> -------------------------------------------------------------------------
>
> Key: TINKERPOP-2016
> URL: https://issues.apache.org/jira/browse/TINKERPOP-2016
> Project: TinkerPop
> Issue Type: Improvement
> Affects Versions: 3.3.3, 3.2.9
> Reporter: Luke Daugherty
> Assignee: Robert Dale
> Priority: Major
>
> The jackson libraries included in groovy-shaded-3.3.3 have a CVE reported
> against them so the library is reported as High risk by vulnerability
> scanners such as Nexus.
> *[CVE-2018-7489|http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-7489]*
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
