[FOLIO-3459] spring-module-core: jackson-databind denial of service (CVE-2020-36518) Created: 24/Mar/22  Updated: 08/Apr/22  Resolved: 08/Apr/22

Status: Closed
Project: FOLIO
Components: None
Affects versions: None
Fix versions: None

Type: Bug Priority: P3
Reporter: Julian Ladisch Assignee: William Welling
Resolution: Done Votes: 0
Labels: security, security-reviewed, springway
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original estimate: Not Specified

Issue links:
Relates
relates to FOLIO-3456 Test coverage for spring-module-core,... Open
relates to FOLIO-3389 Upgrade spring-module-core to Spring ... Closed
Sprint:
Development Team: None
RCA Group: TBD

 Description   

https://github.com/folio-org/spring-module-core uses com.fasterxml.jackson.core:jackson-databind@2.12.4:

mvn dependency:tree -Dincludes=com.fasterxml.jackson.core:jackson-databind

[INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ spring-web ---
[INFO] org.folio:spring-web:jar:1.1.1-SNAPSHOT
[INFO] \- org.springframework.boot:spring-boot-starter-web:jar:2.5.3:compile
[INFO]    \- org.springframework.boot:spring-boot-starter-json:jar:2.5.3:compile
[INFO]       \- com.fasterxml.jackson.core:jackson-databind:jar:2.12.4:compile

[INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ spring-domain ---
[INFO] org.folio:spring-domain:jar:1.1.1-SNAPSHOT
[INFO] \- com.kjetland:mbknor-jackson-jsonschema_2.12:jar:1.0.30:compile
[INFO]    \- com.fasterxml.jackson.core:jackson-databind:jar:2.12.4:compile

[INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ spring-tenant ---
[INFO] org.folio:spring-tenant:jar:1.1.1-SNAPSHOT
[INFO] \- org.folio:spring-domain:jar:1.1.1-SNAPSHOT:compile
[INFO]    \- com.kjetland:mbknor-jackson-jsonschema_2.12:jar:1.0.30:compile
[INFO]       \- com.fasterxml.jackson.core:jackson-databind:jar:2.12.4:compile

jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects: https://nvd.nist.gov/vuln/detail/CVE-2020-36518



 Comments   
Comment by Ann-Marie Breaux (Inactive) [ 30/Mar/22 ]

Hi Julian Ladisch or William Welling Which dev team should this be assigned to, and does it need to be a Lotus bugfix or can it wait for Morning Glory?

Generated at Thu Feb 08 23:28:18 UTC 2024 using Jira 1001.0.0-SNAPSHOT#100246-sha1:7a5c50119eb0633d306e14180817ddef5e80c75d.