[jira] [Closed] (TINKERPOP-2678) jackson-databind medium security issue identified

Stephen Mallette (Jira) Tue, 15 Feb 2022 12:05:04 -0800


     [ 
https://issues.apache.org/jira/browse/TINKERPOP-2678?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Stephen Mallette closed TINKERPOP-2678.
---------------------------------------
    Fix Version/s: 3.6.0
         Assignee: Stephen Mallette
       Resolution: Fixed

Fixed via ctr on: 
https://github.com/apache/tinkerpop/commit/60f5dd89e7ec68bdb1bf7b1351b4da40f775afc3

> jackson-databind medium security issue identified
> -------------------------------------------------
>
>                 Key: TINKERPOP-2678
>                 URL: https://issues.apache.org/jira/browse/TINKERPOP-2678
>             Project: TinkerPop
>          Issue Type: Improvement
>          Components: server
>    Affects Versions: 3.5.0
>            Reporter: Aaron Coady
>            Assignee: Stephen Mallette
>            Priority: Major
>             Fix For: 3.6.0
>
>
> com.fasterxml.jackson.core_jackson-databind version 2.11.3 has this security 
> issue identified. The resolution is in versions 2.14, 2.13.1 and 2.12.6
>  
> [https://github.com/FasterXML/jackson-databind/issues/3328]
>  
> Issue summary:
> jackson-databind in certain versions from 2.10 is vulnerable to DoS attack, 
> only when using JDK serialization to serialize, deserialize JsonNode values. 
> An attacker can provide a 4-byte length payload, with the value of 
> Integer.MAX_VALUE, that will cause the decoder to allocate a large buffer 
> leading to out of heap memory - especially so if the attacker manages to 
> inject multiple broken messages.



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

[jira] [Closed] (TINKERPOP-2678) jackson-databind medium security issue identified

Reply via email to