[Security] Bump jackson-databind from 2.13.4 to 2.14.0 (!33) · Merge requests · tools / LibVirtManager

Dependabot requested to merge dependabot-maven-com.fasterxml.jackson.core-jackson-databind-2.14.0 into master Nov 06, 2022

Bumps jackson-databind from 2.13.4 to 2.14.0. This update includes a security fix.

Vulnerabilities fixed

Uncontrolled Resource Consumption in Jackson-databind In FasterXML jackson-databind before 2.14.0-rc1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled.

Patched versions: 2.14.0-rc1; 2.13.4.1 Affected versions: < 2.14.0-rc1; < 2.13.4.1

Commits

See full diff in compare view

Dependabot commands

You can trigger Dependabot actions by commenting on this MR

$dependabot rebase will rebase this MR
$dependabot recreate will recreate this MR rewriting all the manual changes and resolving conflicts

[Security] Bump jackson-databind from 2.13.4 to 2.14.0

Merge request reports