[GMU-36] Jackson 2.14.0, log4j 2.19.0, commons-io 2.11.0, json-path 2.7.0 Created: 14/Nov/22 Updated: 22/Feb/23 Resolved: 01/Dec/22 |
|
| Status: | Closed |
| Project: | generate-marc-utils |
| Components: | None |
| Affects versions: | 1.5.0 |
| Fix versions: | 1.6.0 |
| Type: | Bug | Priority: | TBD |
| Reporter: | Julian Ladisch | Assignee: | Unassigned |
| Resolution: | Done | Votes: | 0 |
| Labels: | back-end, security | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original estimate: | Not Specified | ||
| Sprint: | |
| Development Team: | Firebird |
| Release: | Nolana (R3 2022) Bug Fix |
| RCA Group: | Related dependency upgrade |
| Affected releases: |
Nolana (R3 2022)
|
| Description |
|
Upgrade Jackson from 2.12.0 to 2.14.0 fixing Denial of Service (DoS): https://nvd.nist.gov/vuln/detail/CVE-2020-36518 Upgrade log4j from 2.16.0 to 2.19.0 fixing Denial of Service (DoS) and Arbitrary Code Execution: https://nvd.nist.gov/vuln/detail/CVE-2021-45105 Upgrade commons-io from 2.6 to 2.11.0 fixing Directory Traversal: https://nvd.nist.gov/vuln/detail/CVE-2021-29425 Upgrade json-path from 2.4.0 to 2.7.0. This indirectly upgrades json-smart from 2.3 to 2.4.7 fixing Denial of Service (DoS): https://nvd.nist.gov/vuln/detail/CVE-2021-27568
|