[FOLIO-3459] spring-module-core: jackson-databind denial of service (CVE-2020-36518) Created: 24/Mar/22 Updated: 08/Apr/22 Resolved: 08/Apr/22 |
|
| Status: | Closed |
| Project: | FOLIO |
| Components: | None |
| Affects versions: | None |
| Fix versions: | None |
| Type: | Bug | Priority: | P3 |
| Reporter: | Julian Ladisch | Assignee: | William Welling |
| Resolution: | Done | Votes: | 0 |
| Labels: | security, security-reviewed, springway | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original estimate: | Not Specified | ||
| Issue links: |
|
||||||||||||
| Sprint: | |||||||||||||
| Development Team: | None | ||||||||||||
| RCA Group: | TBD | ||||||||||||
| Description |
|
https://github.com/folio-org/spring-module-core uses com.fasterxml.jackson.core:jackson-databind@2.12.4: mvn dependency:tree -Dincludes=com.fasterxml.jackson.core:jackson-databind [INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ spring-web --- [INFO] org.folio:spring-web:jar:1.1.1-SNAPSHOT [INFO] \- org.springframework.boot:spring-boot-starter-web:jar:2.5.3:compile [INFO] \- org.springframework.boot:spring-boot-starter-json:jar:2.5.3:compile [INFO] \- com.fasterxml.jackson.core:jackson-databind:jar:2.12.4:compile [INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ spring-domain --- [INFO] org.folio:spring-domain:jar:1.1.1-SNAPSHOT [INFO] \- com.kjetland:mbknor-jackson-jsonschema_2.12:jar:1.0.30:compile [INFO] \- com.fasterxml.jackson.core:jackson-databind:jar:2.12.4:compile [INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ spring-tenant --- [INFO] org.folio:spring-tenant:jar:1.1.1-SNAPSHOT [INFO] \- org.folio:spring-domain:jar:1.1.1-SNAPSHOT:compile [INFO] \- com.kjetland:mbknor-jackson-jsonschema_2.12:jar:1.0.30:compile [INFO] \- com.fasterxml.jackson.core:jackson-databind:jar:2.12.4:compile jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects: https://nvd.nist.gov/vuln/detail/CVE-2020-36518 |
| Comments |
| Comment by Ann-Marie Breaux (Inactive) [ 30/Mar/22 ] |
|
Hi Julian Ladisch or William Welling Which dev team should this be assigned to, and does it need to be a Lotus bugfix or can it wait for Morning Glory? |