[
https://issues.apache.org/jira/browse/CALCITE-6124?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Yubin Li updated CALCITE-6124:
------------------------------
Description:
json-path has critical bugs in 2.7.0 used in Caclite project, see
[https://github.com/json-path/JsonPath/issues/906]
cve: [https://www.cve.org/CVERecord?id=CVE-2023-1370]
the current version is vulnerable to Denial of Service (DoS) due to a
StackOverflowError when parsing a deeply nested JSON array or object, and the
issue has been fixed in 2.8.0.
We should bump to to the latest version to resolve it.
was:
json-path has critical bugs in 2.7.0 used in Caclite project, see
[https://github.com/json-path/JsonPath/issues/906]
cve: [https://www.cve.org/CVERecord?id=CVE-2023-1370]
the current version is vulnerable to Denial of Service (DoS) due to a
StackOverflowError when parsing a deeply nested JSON array or object, and the
issue has been fixed in 2.8.0.
> Upgrade json-path version to 2.8.0
> ----------------------------------
>
> Key: CALCITE-6124
> URL: https://issues.apache.org/jira/browse/CALCITE-6124
> Project: Calcite
> Issue Type: Bug
> Components: core
> Reporter: Yubin Li
> Priority: Major
>
> json-path has critical bugs in 2.7.0 used in Caclite project, see
> [https://github.com/json-path/JsonPath/issues/906]
> cve: [https://www.cve.org/CVERecord?id=CVE-2023-1370]
> the current version is vulnerable to Denial of Service (DoS) due to a
> StackOverflowError when parsing a deeply nested JSON array or object, and the
> issue has been fixed in 2.8.0.
> We should bump to to the latest version to resolve it.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
