[
https://issues.apache.org/jira/browse/TINKERPOP-2948?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17722925#comment-17722925
]
Aaron Coady commented on TINKERPOP-2948:
----------------------------------------
The upgrade to jackson 2.15.0 requires the upgrade of the maven-shade-plugin. I
was able to get the shaded part working by moving up to version 3.4.1.
Using jackson 2.15.0 fails some of tests, and it appears that 2.15.0 is a
breaking change. Here is an excerpt from their documentation
2.15 adds maximum token limits for different tokens as described below. All
limits are:
* Expressed in input units -- {{{}byte{}}}s or {{{}char{}}}s -- depending on
input source
* Defined as longest allowed length, but not necessarily imposed at 100%
accuracy: that is, if maximum allowed length is specified as 1000 units,
something with length of, say 1003 may not cause exception (but 1500 would)
* Defined in new {{StreamReadConstraints}} class, configurable on
per-{{{}JsonFactory{}}} basis
> PRISMA security vulnerabilty for jackson-databind 2.14.0
> --------------------------------------------------------
>
> Key: TINKERPOP-2948
> URL: https://issues.apache.org/jira/browse/TINKERPOP-2948
> Project: TinkerPop
> Issue Type: Bug
> Components: server
> Affects Versions: 3.6.3, 3.5.6
> Reporter: Aaron Coady
> Priority: Major
>
>
> h1. PRISMA-2023-0067 logged against jackson-databind 2.14.0
> [https://github.com/FasterXML/jackson-core/pull/827]
>
> com.fasterxml.jackson.core_jackson-core package versions before 2.15.0 are
> vulnerable to Denial of Service (DoS). The package does not properly restrict
> the size or amount of resources that are requested or influenced by an actor,
> which can be used to consume more resources than intended and leads to
> Uncontrolled Resource Consumption ('Resource Exhaustion')
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
