|
|
@@ -53,7 +53,10 @@
|
|
|
<!-- CVE-2022-45688: org.json XML.toJSONObject 栈溢出 DoS,需 >= 20230227 -->
|
|
|
<org.json.version>20240303</org.json.version>
|
|
|
<!-- CVE-2021-46877: jackson-databind JsonNode JDK 序列化 DoS,2.13.x 需 >= 2.13.1 -->
|
|
|
- <jackson.version>2.13.5</jackson.version>
|
|
|
+ <!-- CVE-2023-35116: jackson-databind 循环依赖 DoS,需 >= 2.16.0 -->
|
|
|
+ <jackson.version>2.16.2</jackson.version>
|
|
|
+ <!-- 非 bundle 版 OBS SDK,避免 fat jar 内嵌旧版 jackson 无法被 BOM 覆盖 -->
|
|
|
+ <esdk-obs-java.version>3.25.5</esdk-obs-java.version>
|
|
|
<!-- CVE-2022-38749: snakeyaml 解析不可信 YAML 栈溢出 DoS,需 >= 1.31 -->
|
|
|
<snakeyaml.version>1.33</snakeyaml.version>
|
|
|
<!-- CVE-2021-44832: log4j2 JDBC Appender JNDI RCE,Java 8 需 >= 2.17.1 -->
|
|
|
@@ -153,7 +156,7 @@
|
|
|
<scope>import</scope>
|
|
|
</dependency>
|
|
|
|
|
|
- <!-- 修复 CVE-2021-46877(覆盖传递依赖中可能存在的 jackson-databind < 2.13.1) -->
|
|
|
+ <!-- 修复 CVE-2021-46877 / CVE-2023-35116(覆盖传递依赖中可能存在的 jackson-databind < 2.16.0) -->
|
|
|
<dependency>
|
|
|
<groupId>com.fasterxml.jackson</groupId>
|
|
|
<artifactId>jackson-bom</artifactId>
|
|
|
@@ -177,6 +180,13 @@
|
|
|
<version>${jackson.version}</version>
|
|
|
</dependency>
|
|
|
|
|
|
+ <!-- 华为 OBS SDK(非 bundle,jackson 由上方 BOM 统一锁定 >= 2.16.0) -->
|
|
|
+ <dependency>
|
|
|
+ <groupId>com.huaweicloud</groupId>
|
|
|
+ <artifactId>esdk-obs-java</artifactId>
|
|
|
+ <version>${esdk-obs-java.version}</version>
|
|
|
+ </dependency>
|
|
|
+
|
|
|
<!-- 修复 CVE-2022-38749(覆盖 Spring Boot 2.7 默认 snakeyaml 1.30) -->
|
|
|
<dependency>
|
|
|
<groupId>org.yaml</groupId>
|
