Originally CVE-2020-36518 only affected Spring 2.5.10 but the CVE was recently updated and now includes Jackson Databind 2.13.2, also, which means that the very latest Spring Boot version 2.6.5 is affected as well.
The CVE was fixed with Jackson Databind version 2.13.2.1.
- Original Spring Boot
2.5.10issue: https://github.com/spring-projects/spring-boot/issues/30354 - Relevant Jackson issue: https://github.com/FasterXML/jackson-databind/pull/3416
- CVE info: https://nvd.nist.gov/vuln/detail/CVE-2020-36518
Comment From: wilkinsona
We'll upgrade to the new Jackson release as part of a semi-automated process. In the meantime you are, as ever, free to override the version of Jackson used in your application.
Comment From: pandrez
Hi @wilkinsona
I tried to override Jackson like you suggested but I'm getting an error on Gradle.
I created a really simple Gradle project using Spring Initialzr (you can check it here) and only added the following line to build.gradle.kts:
extra["jackson-bom.version"] = "2.13.2.20220324"
This version contains the fix for the aforementioned CVE.
When building the project, I get the following error:
Execution failed for task ':compileKotlin'.
> Error while evaluating property 'filteredArgumentsMap' of task ':compileKotlin'
> Could not resolve all files for configuration ':compileClasspath'.
> Could not find com.fasterxml.jackson:jackson-bom:2.13.2.1.
Required by:
project : > org.springframework.boot:spring-boot-starter-webflux:2.6.5 > org.springframework.boot:spring-boot-starter-json:2.6.5 > com.fasterxml.jackson.core:jackson-databind:2.13.2.1
> Could not find com.fasterxml.jackson:jackson-bom:2.13.2.1.
Required by:
project : > org.springframework.boot:spring-boot-starter-webflux:2.6.5 > org.springframework.boot:spring-boot-starter-json:2.6.5 > com.fasterxml.jackson.datatype:jackson-datatype-jdk8:2.13.2
project : > org.springframework.boot:spring-boot-starter-webflux:2.6.5 > org.springframework.boot:spring-boot-starter-json:2.6.5 > com.fasterxml.jackson.datatype:jackson-datatype-jsr310:2.13.2
project : > org.springframework.boot:spring-boot-starter-webflux:2.6.5 > org.springframework.boot:spring-boot-starter-json:2.6.5 > com.fasterxml.jackson.module:jackson-module-parameter-names:2.13.2
project : > org.springframework.boot:spring-boot-starter-webflux:2.6.5 > org.springframework.boot:spring-boot-starter-json:2.6.5 > com.fasterxml.jackson.core:jackson-databind:2.13.2.1 > com.fasterxml.jackson.core:jackson-annotations:2.13.2
project : > org.springframework.boot:spring-boot-starter-webflux:2.6.5 > org.springframework.boot:spring-boot-starter-json:2.6.5 > com.fasterxml.jackson.core:jackson-databind:2.13.2.1 > com.fasterxml.jackson.core:jackson-core:2.13.2
Am I overriding the property incorrectly? Overriding this property on a Maven project works as intended.
Comment From: wilkinsona
Unfortunately, there's a bug in the Gradle module metadata for jackson-databind:2.13.2.1. It sounds like a fix is on the way. In the meantime there are a couple of workarounds in that issue too.
Comment From: pandrez
Thank you so much @wilkinsona 👍🏻