[jira] [Created] (TEZ-4485) Tez - Upgrade jettison to 1.5.4 due to CVE-2023-1436

Mayank Kunwar (Jira) Mon, 03 Apr 2023 10:21:27 -0700

Mayank Kunwar created TEZ-4485:
----------------------------------

             Summary: Tez - Upgrade jettison to 1.5.4 due to CVE-2023-1436
                 Key: TEZ-4485
                 URL: https://issues.apache.org/jira/browse/TEZ-4485
             Project: Apache Tez
          Issue Type: Task
            Reporter: Mayank Kunwar



Upgrade jettison to 1.5.4 due to CVE-2023-1436

CVE-2023-1436:- An infinite recursion is triggered in Jettison when 
constructing a JSONArray from a Collection that contains a self-reference in 
one of its elements. This leads to a StackOverflowError exception being thrown.

CVSSv3 Score:- 7.5(High)

Affected Version:- upto 1.5.4(excluding)

[https://nvd.nist.gov/vuln/detail/CVE-2023-1436]

[Scan 
Report|https://platform-security-api.rke-us-west.kc.cloudera.com/v1/dependency_check/report/cdh/7.2.17.0?output_format=html#]

[Jar 
Report|https://cloudera-build-us-west-1.vpc.cloudera.com/s3/build/39453981/ASSEMBLY_REPORT/centos7/REPORTS/jar_report.html#jdom]



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Created] (TEZ-4485) Tez - Upgrade jettison to 1.5.4 due to CVE-2023-1436

Reply via email to