共计 2884 个字符,预计需要花费 8 分钟才能阅读完成。
我的项目背景: 应要求我的项目进行 jar 包降级, 扫描到的 jackson-mapper-asl-1.9.6.jar 具备高危破绽
CVE-2018-14718 ==> cve 详情
形容: 2.9.7 之前的 FasterXML jackson-databind 2.x 可能容许近程攻击者通过利用失败来阻止 slf4j-ext 类进行多态反序列化来执行任意代码。
以后我的项目应用的依赖是 jackson-mapper-asl-1.9.6.jar
查阅 mvnrepository 官网依赖 可知 其最新的更新版本是 1.9.13 而上文提到的是 jackson-databaind 两者 artifactId 都对应不上, 揣测 jackson-mapper-asl 迁徙到了 jackson-databaind.
关上 jackson-mapper-asl 的 mvn 官网地址 发现的确曾经迁徙到了 jackson-databind
此时咱们只须要剔除 jackson-mapper-asl 的依赖, 并退出迁徙后的指定版本的依赖即可:
<!-- https://mvnrepository.com/artifact/com.fasterxml.jackson.core/jackson-databind -->
<dependency>
<groupId>com.fasterxml.jackson.core</groupId>
<artifactId>jackson-databind</artifactId>
<version>2.13.0</version>
</dependency>
而用 idea 去在我的项目中查问时却并未发现 jackson-mapper-asl, 那他是怎么引进来的呢, 持续摸索发现:
我的项目中引入了 jackson-jaxrs, 而他依赖于 jackson-mapper-asl;
于是点开 jackson-jaxrs mvn 地址 发现它也前移到了 jackson-jaxrs-json-provider
查看最新版本援用的 jackson-databind 版本 发现是想要的
间接在我的项目中引入即可
<dependency>
<groupId>com.fasterxml.jackson.jaxrs</groupId>
<artifactId>jackson-jaxrs-json-provider</artifactId>
<version>2.13.0</version>
</dependency>最初启动我的项目发现报错:
21:29:36.854 - WARN [org.springframework.boot.context.embedded.AnnotationConfigEmbeddedWebApplicationContext:551] - Exception encountered during context initialization - cancelling refresh attempt: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'sessionManage': Cannot create inner bean 'org.codehaus.jackson.jaxrs.JacksonJaxbJsonProvider#6f74669c' of type [org.codehaus.jackson.jaxrs.JacksonJaxbJsonProvider] while setting bean property 'providers' with key [0]; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'org.codehaus.jackson.jaxrs.JacksonJaxbJsonProvider#6f74669c': Failed to introspect bean class [org.codehaus.jackson.jaxrs.JacksonJaxbJsonProvider] for lookup method metadata: could not find class that it depends on; nested exception is java.lang.NoClassDefFoundError: org/codehaus/jackson/map/JsonMappingException
21:29:36.866 - ERROR [org.springframework.boot.SpringApplication:771] - Application startup failed
org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'sessionManage': Cannot create inner bean 'org.codehaus.jackson.jaxrs.JacksonJaxbJsonProvider#6f74669c' of type [org.codehaus.jackson.jaxrs.JacksonJaxbJsonProvider] while setting bean property 'providers' with key [0]; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'org.codehaus.jackson.jaxrs.JacksonJaxbJsonProvider#6f74669c': Failed to introspect bean class [org.codehaus.jackson.jaxrs.JacksonJaxbJsonProvider] for lookup method metadata: could not find class that it depends on; nested exception is java.lang.NoClassDefFoundError: org/codehaus/jackson/map/JsonMappingException
at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveInnerBean(BeanDefinitionValueResolver.java:313)点开对应的配置文件, 是配置的 javaBean 找不到了
联想到 jackson-databind 迁徙当前权限定类名的扭转
关上 jackson-databind 的包 找到对应的 JacksonJaxbJsonProvider 类的全限定类名 复制粘贴替换即可
