[
https://issues.apache.org/jira/browse/TINKERPOP-2948?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17743038#comment-17743038
]
ASF GitHub Bot commented on TINKERPOP-2948:
-------------------------------------------
Cole-Greer opened a new pull request, #2139:
URL: https://github.com/apache/tinkerpop/pull/2139
https://issues.apache.org/jira/browse/TINKERPOP-2948
This PR is meant to supersede https://github.com/apache/tinkerpop/pull/2061.
This PR includes a version bump for jackson, a bump for the shade plugin
(required due to jackson 2.15.0 being a multi-release jar containing some java
17 and java 20 classes), as well as additional configuration options for
graphSON serializers.
Jackson 2.15.0 adds new StreamReadConstraints which set a max length for
numbers, strings, and a max nesting depth. These have been configured to 10
000, 20 000 000, and 1000 by default in TinkerPop. New serializer configs for
`maxNumberLength`, `maxStringLength`, and `maxNestingDepth` have been added to
graphSON serializers to adjust these values if needed.
> PRISMA security vulnerabilty for jackson-databind 2.14.0
> --------------------------------------------------------
>
> Key: TINKERPOP-2948
> URL: https://issues.apache.org/jira/browse/TINKERPOP-2948
> Project: TinkerPop
> Issue Type: Bug
> Components: server
> Affects Versions: 3.6.3, 3.5.6
> Reporter: Aaron Coady
> Priority: Critical
>
>
> h1. PRISMA-2023-0067 logged against jackson-databind 2.14.0
> [https://github.com/FasterXML/jackson-core/pull/827]
>
> com.fasterxml.jackson.core_jackson-core package versions before 2.15.0 are
> vulnerable to Denial of Service (DoS). The package does not properly restrict
> the size or amount of resources that are requested or influenced by an actor,
> which can be used to consume more resources than intended and leads to
> Uncontrolled Resource Consumption ('Resource Exhaustion')
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
