[ https://issues.apache.org/jira/browse/TINKERPOP-2948?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17723519#comment-17723519 ]
Aaron Coady commented on TINKERPOP-2948: ---------------------------------------- My apologies for not being more clear. I updated [https://github.com/apache/tinkerpop/pull/2061] with the changes to reduce the size of the number in that test to 10^900 to make it pass. To me what this highlights though is we need a mechanism to provide an override for these default values, or a decision that these arbitrarily large defaults are sufficient. To upgrade to jackson 2.15.0 it is required to upgrade the version of the maven-shade-plugin. It looks as if this upgrade is problematic and causing the Netty issues. I think someone with more expertise in this area will have to continue the work to upgrade jackson. > PRISMA security vulnerabilty for jackson-databind 2.14.0 > -------------------------------------------------------- > > Key: TINKERPOP-2948 > URL: https://issues.apache.org/jira/browse/TINKERPOP-2948 > Project: TinkerPop > Issue Type: Bug > Components: server > Affects Versions: 3.6.3, 3.5.6 > Reporter: Aaron Coady > Priority: Major > > > h1. PRISMA-2023-0067 logged against jackson-databind 2.14.0 > [https://github.com/FasterXML/jackson-core/pull/827] > > com.fasterxml.jackson.core_jackson-core package versions before 2.15.0 are > vulnerable to Denial of Service (DoS). The package does not properly restrict > the size or amount of resources that are requested or influenced by an actor, > which can be used to consume more resources than intended and leads to > Uncontrolled Resource Consumption ('Resource Exhaustion') -- This message was sent by Atlassian Jira (v8.20.10#820010)