Spring Cloud Config CVE-2020-36518 on com.fasterxml.jackson.core:jackson-databind:jar:2.13.2

Hello Spring Cloud Config Team,

I just wanted to raise this issue if you allow me.

Setup: with a latest (as of this writing) SpringBoot 2.6.5 + Jubilee 2021.0.1

After running a mvn clean install dependency:tree -X

And also, after downloading the corresponding branch from this repo, and running couple of static analysis tools, such as BlackDuck, SonarQube, Dependency-check, etc, the CVE is further confirm.

The CVE is on com.fasterxml.jackson.core:jackson-databind:jar:2.13.2 with CVE-2020-36518

Could you please help fix this CVE please? Spring Cloud Config is a widely used and this is not a "let's make some static tools happy" but rather raising a valid CVE on a very popular and so important component of the Spring Cloud ecosystem.

Thank you

Comment From: ryanjbaxter

See https://github.com/spring-projects/spring-boot/issues/30451