Bump jackson-databind from 2.13.2 to 2.13.2.1

sonallux · sonallux · commit 58db4bc90198 · 2022-03-26T14:27:05.000+01:00
fixes CVE-2020-36518
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -12,7 +12,7 @@ The OpenAPI definition contains fixes and improvements from my [spotify-web-api]
 Therefore, some model class names have changed and many fixes are included.
 
 - The library now also requires Java 17
-- Update to jackson `2.13.2`
+- Update to jackson `2.13.2` and jackson-databind to `2.13.2.1` to fix CVE-2020-36518
 - Update to okhttp `4.9.3`
 
 ## [2.4.0]
diff --git a/spotify-web-api-java/pom.xml b/spotify-web-api-java/pom.xml
@@ -35,7 +35,9 @@
         <dependency>
             <groupId>com.fasterxml.jackson.core</groupId>
             <artifactId>jackson-databind</artifactId>
-            <version>${jackson.version}</version>
+            <!-- fixes CVE-2020-36518. Only for the affected artifact jackson-databind a release was made. Once a new
+            full jackson release is available replace the hardcoded version and use property jackson.version again -->
+            <version>2.13.2.1</version>
         </dependency>
         <dependency>
             <groupId>com.fasterxml.jackson.datatype</groupId>
