Camunda-spin-datafromat and Jackson-databind vulnerability issue

Hi Team,
I excluded jackson-databind in camunda-spin-dataformat-all. but still, identify the vulnerability issues which are identified in jackson-databind. also, I checked the transitive dependency in camunda-spin-dataformat-all, but I can not find jackson-databind dependency usage.
pom snippet as below

<groupId>org.camunda.bpm</groupId>
<artifactId>camunda-bom</artifactId>
 <version>7.18.0</version>
<groupId>org.camunda.spin</groupId>
<artifactId>camunda-spin-dataformat-all</artifactId>
<version>1.18.0</version>

if you have any solutions to remove VA issues from camunda-spin-dataformat-all, please guide me

Hello @Lakshan ,

spin-dataformat-all shades jackson-json, this is why there is no transitive dependency.

Anyway, excluding it will not take you further, as spin relies on jackson json.

I hope this helps

Jonathan

1 Like

as you mentioned, spin-dataformat-all shades jackson-json Thus excluding it has not taken any effect on VA. so, is there any solution to overcome jackson-json valunerability by using the latest spin-dataformat-all

Hello @Lakshan ,

you could try using camunda-spin-dataformat-jackson-json which does not shade but include jackson-databind as dependency.

Then, you could manage the dependency version if the version used in 7.18.0 camunda version is vulnerable and a patch exists for jackson-databind.

Jonathan

1 Like