Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

PRISMA-2023-0067 Jackson Number Parse DoS - Analysis of vulnerability - Quesnelia

Description

Similar CVE was reporter in January 2024 https://folio-org.atlassian.net/browse/SECURITY-14 Now it deals with new modules.

Severity: High
Link: https://github.com/FasterXML/jackson-core/pull/827
Package Name: com.fasterxml.jackson.core_jackson-core
Current version 2.13.5 // fixed in 2.15.0

Modules impacted:

  1. mod-licenses 6.0.0

  2. mod-event-config 2.7.0 – https://folio-org.atlassian.net/browse/MODEVENTC-53 – fixed in 2.7.1

  3. mod-invoice-storage 5.8.0 – https://folio-org.atlassian.net/browse/MODINVOSTO-181 – fixed for Ramsons

  4. mod-service-interaction 4.0.1

  5. mod-agreements 7.0.0

  6. mod-audit 2.9.0 – https://folio-org.atlassian.net/browse/MODAUD-185 – fixed for Ramsons

  7. mod-serials-management 1.0.0

  8. mod-invoice 5.8.1 – https://folio-org.atlassian.net/browse/MODINVOICE-545 – fixed for Ramsons

Checklist

hide

Activity

Show:

Julian LadischMay 5, 2024 at 2:15 PM

An attacker requires a valid login to send malicous JSON to an affected module and can only cause denial of service.

Therefore I suggest to close this as won’t do.

Done

Details

Assignee

Reporter

Priority

RCA Group

TBD

Labels

TestRail: Cases

Open TestRail: Cases

TestRail: Runs

Open TestRail: Runs

Created April 18, 2024 at 1:09 PM
Updated May 23, 2024 at 3:51 PM
Resolved May 23, 2024 at 3:51 PM
TestRail: Cases
TestRail: Runs