-
Task
-
Resolution: Done
-
Medium
-
None
-
None
-
Policy 6/8-6/19, Policy 6/23-7/06
Per the security subcommittee, they ask for JIRA's to track security issues even if they are false positives.
org.codehaus.jackson.jackson-mapper-asl
This dependency is pulled in by org.apache.avro. We are using the latest version of Avro.
We are using Avro to deserialize events. Avro uses jackson-mapper-asl for its Json decoding. The schema for the events we are decoding is controlled in policy models and prevents executable code being specified. Therefore this vulnerability cannot be exploited.