Hi, we are using a library, Jackson Databind, to serialize JSON objects on the HTTP Admin Endpoint.
Unfortunately that library is very ofter subject to CVEs due to the intrinsic nature of the library, the fact that is really very common and in particular to the fact that it has many deserialization "gadgets" (that we are not using). Usually we are never affected by those CVEs because we are using only Jackson core features and we are using it only in order to serialize data (and only very simple beans). Some more context here: https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062 We want OWASP dependency checker to be always happy with our releases. I think this is very good. But we are spending lot of time, especially in blocking releases due to these fact. I am now proposing to drop this dependency and use some other simpler JSON encoding library. Thoughts ? Enrico
