Force eviction of jackson-databind 2.13.1

adzerk · Apr 24, 2024 · d12163d · d12163d
1 parent 9c030d8
commit d12163d
Showing 1 changed file with 12 additions and 9 deletions.
diff --git a/elasticsearch/build.sbt b/elasticsearch/build.sbt
@@ -1,20 +1,23 @@
 import Dependencies._
 
 libraryDependencies ++= Seq(
-  AkkaActor                  % Provided,
+  AkkaActor                    % Provided,
   ApacheHttpAsyncClient,
   ApacheHttpClient,
   ApacheHttpCore,
   CirceCore,
   Elastic4sClientEsJava,
   Elastic4sCore,
   ElasticsearchRestClient,
-  AkkaTestkit                % Test,
-  AkkaHttpTestkit            % Test,
-  AkkaSlf4J                  % Test,
-  Elastic4sTestkit           % Test,
-  ElasticsearchClusterRunner % Test,
-  Log4JCore                  % Test,
-  Log4JSlf4j                 % Test,
-  Specs2Core                 % Test
+  // This is explicitly included to force the eviction of a dependency exposing the following direct vulnerabilities:
+  // CVE-2022-42004, CVE-2022-42003 and CVE-2020-36518.
+  "com.fasterxml.jackson.core" % "jackson-databind" % "2.13.5",
+  AkkaTestkit                  % Test,
+  AkkaHttpTestkit              % Test,
+  AkkaSlf4J                    % Test,
+  Elastic4sTestkit             % Test,
+  ElasticsearchClusterRunner   % Test,
+  Log4JCore                    % Test,
+  Log4JSlf4j                   % Test,
+  Specs2Core                   % Test
 )