spring-boot-starter-parent has a transitive-dependency on jackson-databind which has a known security vulnerability, CVE-2018-1000873. jackson-databind version before 2.9.8 contains a CWE-20: Improper Input Validation vulnerability that can result in a denial-of-service (DoS).
This vulnerability has been fixed in 2.9.8, this project is importing version 2.9.7.
com.pingidentity.samples:custom-user-registration:jar:0.0.1-SNAPSHOT
+- com.pingidentity.samples:spring-boot-sdk:jar:0.0.1-SNAPSHOT:compile
| +- org.springframework.boot:spring-boot-starter:jar:2.1.3.RELEASE:compile
| ...
| +- org.springframework.boot:spring-boot-starter-web:jar:2.1.3.RELEASE:compile
| | +- org.springframework.boot:spring-boot-starter-json:jar:2.1.3.RELEASE:compile
| | | +- com.fasterxml.jackson.core:jackson-databind:jar:2.9.7:compile
| | | | +- com.fasterxml.jackson.core:jackson-annotations:jar:2.9.0:compile
| | | | \- com.fasterxml.jackson.core:jackson-core:jar:2.9.7:compile
| | | +- com.fasterxml.jackson.datatype:jackson-datatype-jdk8:jar:2.9.7:compile
| | | +- com.fasterxml.jackson.datatype:jackson-datatype-jsr310:jar:2.9.7:compile
| | | \- com.fasterxml.jackson.module:jackson-module-parameter-names:jar:2.9.7:compile
| ...
| \
| +- org.springframework.security.oauth:spring-security-oauth2:jar:2.2.0.RELEASE:compile
| | +- commons-codec:commons-codec:jar:1.11:compile
| | \- org.codehaus.jackson:jackson-mapper-asl:jar:1.9.13:compile
| | \- org.codehaus.jackson:jackson-core-asl:jar:1.9.13:compile
| \- io.openapitools.jackson.dataformat:jackson-dataformat-hal:jar:1.0.5:compile
| \- com.fasterxml.jackson.jaxrs:jackson-jaxrs-json-provider:jar:2.9.7:compile
| +- com.fasterxml.jackson.jaxrs:jackson-jaxrs-base:jar:2.9.7:compile
| \- com.fasterxml.jackson.module:jackson-module-jaxb-annotations:jar:2.9.7:compile
To address, the Security Team recommends a version-range maven dependency coordinate, e.g.
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
- <version>2.1.1.RELEASE</version>
+ <version>[2.1.3.RELEASE,3.0.0.RELEASE)</version>
</parent>`