[ https://issues.apache.org/jira/browse/BEAM-7881?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16934747#comment-16934747 ]
Romain Manni-Bucau commented on BEAM-7881: ------------------------------------------ Up, the lack of careness of security by jackson is a real concern which should be addressed IMHO. Any hope to get it fixed soon? > Get rid of jackson to avoid the continuous flow of CVEs in Jackson > ------------------------------------------------------------------ > > Key: BEAM-7881 > URL: https://issues.apache.org/jira/browse/BEAM-7881 > Project: Beam > Issue Type: Task > Components: sdk-java-core > Affects Versions: 2.14.0 > Reporter: Romain Manni-Bucau > Priority: Blocker > > Jackson keeps having CVE on all releases of databind and transitively beam > sdk java core has CVE on all its releases (for the record, when writing this > issue you must use at least jackson-databind 2.9.9.2 but last week it was > 2.9.9.1 and 2.14 didn't get the fix). > Can be neat to get rid of jackson which does not fix this issue for a very > long time now and just use JSON-B or another JSON impl to ensure the CVE is > not usable because beam is there. -- This message was sent by Atlassian Jira (v8.3.4#803005)