[Bug][CVE-2019-10172] found CVE in the latest release 8.12.2 and 8.9.1

[trend-greta-pan]

What kind an issue is this?

• Bug report. If you’ve found a bug, please provide a code snippet or test to reproduce it below.
  The easier it is to track down the bug, the faster it is solved.
• Feature Request. Start by telling us what problem you’re trying to solve.
  Often a solution already exists! Don’t send pull requests to implement new features without
  first getting our support. Sometimes we leave features out on purpose to keep the project small.

Issue description

scan the jar built from the latest release 8.12.2 and latest release for scala 2.12 8.9.1, find CVE-2019-10172
jar location: https://mvnrepository.com/artifact/org.elasticsearch/elasticsearch-spark-30_2.12

Steps to reproduce

Code:

Test/code snippet

Strack trace: NA, black duck scan result

Stack trace goes here

Version Info

OS: :
JVM :
Hadoop/Spark:
ES-Hadoop : elasticsearch-spark-30_2.12-8.9.1.jar, elasticsearch-spark-30_2.13-8.12.2.jar
ES :

Feature description

[masseyke]

Hi @trend-greta-pan. I see that CVE-2019-10172 is related to org.codehaus.jackson:jackson-mapper-asl:1.9.x, which is not delivered in the artifact you linked (or any es-hadoop artifact that I'm aware of). Was that the correct CVE?