[
https://issues.apache.org/jira/browse/ATLAS-4925?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Disha Talreja updated ATLAS-4925:
---------------------------------
Summary: Upgrade protobuf-java to 3.25.5/4.27.5/4.28.2 (was: Upgrade
protobuf-java to 3.25.5/4.27.5/4.28.2 due to CVE-2024-7254)
> Upgrade protobuf-java to 3.25.5/4.27.5/4.28.2
> ---------------------------------------------
>
> Key: ATLAS-4925
> URL: https://issues.apache.org/jira/browse/ATLAS-4925
> Project: Atlas
> Issue Type: Task
> Components: atlas-core
> Reporter: Disha Talreja
> Assignee: Disha Talreja
> Priority: Major
> Attachments: ATLAS-4925.patch
>
>
> Upgrade protobuf-java to 3.25.5/4.27.5/4.28.2 due to CVE-2024-7254
> Any project that parses untrusted Protocol Buffers data containing an
> arbitrary number of nested groups / series of SGROUP tags can corrupted by
> exceeding the stack limit i.e. StackOverflow. Parsing nested groups as
> unknown fields with DiscardUnknownFieldsParser or Java Protobuf Lite parser,
> or against Protobuf map fields, creates unbounded recursions that can be
> abused by an attacker.
> [https://security.snyk.io/vuln/SNYK-JAVA-COMGOOGLEPROTOBUF-8055227]
> [https://nvd.nist.gov/vuln/detail/CVE-2024-7254]
> [https://github.com/advisories/GHSA-735f-pc8j-v9w8]
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
