[GMU-36] Jackson 2.14.0, log4j 2.19.0, commons-io 2.11.0, json-path 2.7.0 Created: 14/Nov/22  Updated: 22/Feb/23  Resolved: 01/Dec/22

Status: Closed
Project: generate-marc-utils
Components: None
Affects versions: 1.5.0
Fix versions: 1.6.0

Type: Bug Priority: TBD
Reporter: Julian Ladisch Assignee: Unassigned
Resolution: Done Votes: 0
Labels: back-end, security
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original estimate: Not Specified

Sprint:
Development Team: Firebird
Release: Nolana (R3 2022) Bug Fix
RCA Group: Related dependency upgrade
Affected releases:
Nolana (R3 2022)

 Description   

Upgrade Jackson from 2.12.0 to 2.14.0 fixing Denial of Service (DoS):

https://nvd.nist.gov/vuln/detail/CVE-2020-36518
https://nvd.nist.gov/vuln/detail/CVE-2022-42003
https://nvd.nist.gov/vuln/detail/CVE-2022-42004
https://app.snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-2326698

Upgrade log4j from 2.16.0 to 2.19.0 fixing Denial of Service (DoS) and Arbitrary Code Execution:

https://nvd.nist.gov/vuln/detail/CVE-2021-45105
https://nvd.nist.gov/vuln/detail/CVE-2021-44832

Upgrade commons-io from 2.6 to 2.11.0 fixing Directory Traversal:

https://nvd.nist.gov/vuln/detail/CVE-2021-29425

Upgrade json-path from 2.4.0 to 2.7.0. This indirectly upgrades json-smart from 2.3 to 2.4.7 fixing Denial of Service (DoS):

https://nvd.nist.gov/vuln/detail/CVE-2021-27568
https://nvd.nist.gov/vuln/detail/CVE-2021-31684

 


Generated at Thu Feb 08 22:16:24 UTC 2024 using Jira 1001.0.0-SNAPSHOT#100246-sha1:7a5c50119eb0633d306e14180817ddef5e80c75d.