Fix for Vulnerability in Jackson Databind 2.9.9

Release DateSep 27, 2019
Change Type
Platforms Affected

We have updated the jackson-databind library in our Java SDKs due to a vulnerability reported recently. Please generate a new Java SDK from APIMatic to get the fix.

Details

The following vulnerability, detailed in CVE-2019-16335, was reported in the version 2.9.9 of the jackson-databind library that we were using:

A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariDataSource. This is a different vulnerability than CVE-2019-14540.

Remediation

The library com.fasterxml.jackson.core:jackson-databind needs to be updated to version 2.9.10. For example:

<dependency>
  <groupId>com.fasterxml.jackson.core</groupId>
  <artifactId>jackson-databind</artifactId>
  <version>[2.9.10,)</version>
</dependency>

You can generate a new Java SDK from APIMatic to receive this fix.

Related Links


Have questions? Submit a request.