-
Bug
-
Resolution: Done
-
Medium
-
Dublin Release
-
SDNC Dublin Spr 3 3/11 - 3/29, SDNC Fr Sp2:11/23-12/13
jackson-datatype is vulnerable to CVE-2017-4995. There is no non-vulnerable version of this library. Workaround is not to use default typing (see https://github.com/FasterXML/jackson-docs/wiki/JacksonPolymorphicDeserialization)