<!-- 
RSS generated by JIRA (1001.0.0-SNAPSHOT#100246-sha1:7a5c50119eb0633d306e14180817ddef5e80c75d) at Thu Feb 08 23:28:18 UTC 2024

It is possible to restrict the fields that are returned in this document by specifying the 'field' parameter in your request.
For example, to request only the issue key and summary add field=key&field=summary to the URL of your request.
-->
<rss version="0.92" >
<channel>
    <title>FOLIO Jira</title>
    <link>https://folio-org.atlassian.net</link>
    <description>This file is an XML representation of an issue</description>
    <language>en-us</language>    <build-info>
        <version>1001.0.0-SNAPSHOT</version>
        <build-number>100246</build-number>
        <build-date>07-02-2024</build-date>
    </build-info>

<item>
            <title>[FOLIO-3459] spring-module-core: jackson-databind denial of service (CVE-2020-36518)</title>
                <link>https://folio-org.atlassian.net/browse/FOLIO-3459</link>
                <project id="10290" key="FOLIO">FOLIO</project>
                    <description>&lt;p&gt;&lt;a href=&quot;https://github.com/folio-org/spring-module-core&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;https://github.com/folio-org/spring-module-core&lt;/a&gt; uses com.fasterxml.jackson.core:jackson-databind@2.12.4:&lt;/p&gt;

&lt;div class=&quot;code panel&quot; style=&quot;border-width: 1px;&quot;&gt;&lt;div class=&quot;codeContent panelContent&quot;&gt;
&lt;pre class=&quot;code-java&quot;&gt;
mvn dependency:tree -Dincludes=com.fasterxml.jackson.core:jackson-databind

[INFO] --- maven-dependency-plugin:2.8:tree (&lt;span class=&quot;code-keyword&quot;&gt;default&lt;/span&gt;-cli) @ spring-web ---
[INFO] org.folio:spring-web:jar:1.1.1-SNAPSHOT
[INFO] \- org.springframework.boot:spring-boot-starter-web:jar:2.5.3:compile
[INFO]    \- org.springframework.boot:spring-boot-starter-json:jar:2.5.3:compile
[INFO]       \- com.fasterxml.jackson.core:jackson-databind:jar:2.12.4:compile

[INFO] --- maven-dependency-plugin:2.8:tree (&lt;span class=&quot;code-keyword&quot;&gt;default&lt;/span&gt;-cli) @ spring-domain ---
[INFO] org.folio:spring-domain:jar:1.1.1-SNAPSHOT
[INFO] \- com.kjetland:mbknor-jackson-jsonschema_2.12:jar:1.0.30:compile
[INFO]    \- com.fasterxml.jackson.core:jackson-databind:jar:2.12.4:compile

[INFO] --- maven-dependency-plugin:2.8:tree (&lt;span class=&quot;code-keyword&quot;&gt;default&lt;/span&gt;-cli) @ spring-tenant ---
[INFO] org.folio:spring-tenant:jar:1.1.1-SNAPSHOT
[INFO] \- org.folio:spring-domain:jar:1.1.1-SNAPSHOT:compile
[INFO]    \- com.kjetland:mbknor-jackson-jsonschema_2.12:jar:1.0.30:compile
[INFO]       \- com.fasterxml.jackson.core:jackson-databind:jar:2.12.4:compile
&lt;/pre&gt;
&lt;/div&gt;&lt;/div&gt;

&lt;p&gt;jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects: &lt;a href=&quot;https://nvd.nist.gov/vuln/detail/CVE-2020-36518&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;https://nvd.nist.gov/vuln/detail/CVE-2020-36518&lt;/a&gt; &lt;/p&gt;</description>
                <environment></environment>
        <key id="82267">FOLIO-3459</key>
            <summary>spring-module-core: jackson-databind denial of service (CVE-2020-36518)</summary>
                <type id="10001" iconUrl="https://folio-org.atlassian.net/rest/api/2/universal_avatar/view/type/issuetype/avatar/10303?size=medium">Bug</type>
                                            <priority id="10002" iconUrl="https://dev.folio.org/assets/jira-priority/jira-p3.svg">P3</priority>
                        <status id="6" iconUrl="https://folio-org.atlassian.net/images/icons/statuses/closed.png" description="The issue is considered finished, the resolution is correct. Issues which are closed can be reopened.">Closed</status>
                    <statusCategory id="3" key="done" colorName="green"/>
                                    <resolution id="10003">Done</resolution>
                                                        <assignee accountid="557058:abe52938-e5a4-4b11-be6c-c0d83a4b2577">William Welling</assignee>
                                                                <reporter accountid="5ee89462f7aa140abd82d11d">Julian Ladisch</reporter>
                                    <labels>
                            <label>security</label>
                            <label>security-reviewed</label>
                            <label>springway</label>
                    </labels>
                <created>Thu, 24 Mar 2022 21:56:38 +0000</created>
                <updated>Fri, 8 Apr 2022 15:35:38 +0000</updated>
                            <resolved>Fri, 8 Apr 2022 15:35:38 +0000</resolved>
                                                                        <due></due>
                            <votes>0</votes>
                                    <watches>1</watches>
                                                                <comments>
                                                            <comment id="197663" author="5af5e627525ba96b58654f12" created="Wed, 30 Mar 2022 16:20:04 +0000"  >&lt;p&gt;Hi &lt;a href=&quot;https://folio-org.atlassian.net/secure/ViewProfile.jspa?accountId=5ee89462f7aa140abd82d11d&quot; class=&quot;user-hover&quot; rel=&quot;5ee89462f7aa140abd82d11d&quot; data-account-id=&quot;5ee89462f7aa140abd82d11d&quot; accountid=&quot;5ee89462f7aa140abd82d11d&quot; rel=&quot;noreferrer&quot;&gt;Julian Ladisch&lt;/a&gt; or &lt;a href=&quot;https://folio-org.atlassian.net/secure/ViewProfile.jspa?accountId=557058%3Aabe52938-e5a4-4b11-be6c-c0d83a4b2577&quot; class=&quot;user-hover&quot; rel=&quot;557058:abe52938-e5a4-4b11-be6c-c0d83a4b2577&quot; data-account-id=&quot;557058:abe52938-e5a4-4b11-be6c-c0d83a4b2577&quot; accountid=&quot;557058:abe52938-e5a4-4b11-be6c-c0d83a4b2577&quot; rel=&quot;noreferrer&quot;&gt;William Welling&lt;/a&gt; Which dev team should this be assigned to, and does it need to be a Lotus bugfix or can it wait for Morning Glory?&lt;/p&gt;</comment>
                    </comments>
                <issuelinks>
                            <issuelinktype id="10003">
                    <name>Relates</name>
                                                                <inwardlinks description="relates to">
                                        <issuelink>
            <issuekey id="79722">FOLIO-3456</issuekey>
        </issuelink>
            <issuelink>
            <issuekey id="82225">FOLIO-3389</issuekey>
        </issuelink>
                            </inwardlinks>
                                    </issuelinktype>
                    </issuelinks>
                <attachments>
                    </attachments>
                <subtasks>
                    </subtasks>
                <customfields>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                <customfield id="customfield_10000" key="com.atlassian.jira.plugins.jira-development-integration-plugin:devsummarycf">
                        <customfieldname>Development</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10057" key="com.atlassian.jira.plugin.system.customfieldtypes:select">
                        <customfieldname>Development Team</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue key="10168"><![CDATA[None]]></customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                <customfield id="customfield_10063" key="com.atlassian.jira.plugin.system.customfieldtypes:float">
                        <customfieldname>PO Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>0.0</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                    <customfield id="customfield_10106" key="com.atlassian.jira.plugin.system.customfieldtypes:select">
                        <customfieldname>RCA Group</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue key="10367"><![CDATA[TBD]]></customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                            <customfield id="customfield_10019" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>0|i04d5m:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_10020" key="com.pyxis.greenhopper.jira:gh-sprint">
                        <customfieldname>Sprint</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        <customfield id="customfield_10024" key="com.atlassian.jira.ext.charting:firstresponsedate">
                        <customfieldname>[CHART] Date of First Response</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>Wed, 30 Mar 2022 16:20:04 +0000</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10025" key="com.atlassian.jira.ext.charting:timeinstatus">
                        <customfieldname>[CHART] Time in Status</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                    </customfields>
    </item>
</channel>
</rss>