jackson-databind exploit CVE-2020-36518, need to upgrade to 2.13+

Description

jackson-databind is exposed in all versions under 2.13.0 to CVE-2020-36518:

The current version is 2.13.2.2, and according to the CVE:

jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects.

Environment

None

Pull Requests

None

Linked work items

relates to

JAVA-3013

Upgrade dependencies to address CVEs and other security issues, 4.14.1 edition

Activity

Show:

Bret McGuire
September 26, 2022 at 7:30 PM

This was updated to 2.13.2.2 for 4.x in . I took a look at upgrading 3.x for the same effort but wasn’t able to do so without compromising the ability to run on Java6.

I’m gonna close this as completed by the other ticket. if you think there’s still work to do let me know and we can revisit.

Resize issue view side panel

Duplicate

Details

Assignee

Unassigned

Reporter

Steve Lacerda

Labels

Affects versions

3.11.1

Priority

Major

Created April 20, 2022 at 2:56 PM

Updated September 26, 2022 at 7:32 PM

Resolved September 26, 2022 at 7:32 PM