(avro) Snyk Reports a Critical Vulnerability (org.codehaus.jackson:jackson-mapper-asl Improper Input Validation) -- NOT APPLICABLE (polymorphic deserialization)

[tomthehumanmettle]

Introduced through: com.fasterxml.jackson.dataformat:[email protected] › org.apache.avro:[email protected] › org.codehaus.jackson:[email protected]

Link to issue: https://app.snyk.io/vuln/SNYK-JAVA-ORGCODEHAUSJACKSON-3326362

[cowtowncoder]

Nothing we can do without figuring out how to upgrade to Avro 1.9.0 or later, see #167 f.ex.

This itself is dup of #187 so will close.

[tomthehumanmettle]

I don't think this should be closed, as the earlier issue does not mention the fact that a critically vulnerable transitive dependency is pulled in @cowtowncoder. I think this should remain open to provide visibility of this, as it's an issue that is going to prevent many organisations from using this lib due to security policies.

[cowtowncoder]

I disagree. The root problem is that we cannot update to a later version. Anyone looking for specific vuln can find this one, even if closed.

Also: vulnerability is also non-applicable, as usual (vast majority of vulns/cves are non-applicable based on my experience) -- it only affects Polymorphic Deserialization, none of which is used by Avro format module or apache avro library.