[jira] [Updated] (TEZ-4485) Tez - Upgrade jettison to 1.5.4 due to CVE-2023-1436

Mayank Kunwar (Jira) Mon, 03 Apr 2023 10:22:06 -0700


     [ 
https://issues.apache.org/jira/browse/TEZ-4485?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Mayank Kunwar updated TEZ-4485:
-------------------------------
    Issue Type: Improvement  (was: Task)

> Tez - Upgrade jettison to 1.5.4 due to CVE-2023-1436
> ----------------------------------------------------
>
>                 Key: TEZ-4485
>                 URL: https://issues.apache.org/jira/browse/TEZ-4485
>             Project: Apache Tez
>          Issue Type: Improvement
>            Reporter: Mayank Kunwar
>            Assignee: Mayank Kunwar
>            Priority: Major
>
> Upgrade jettison to 1.5.4 due to CVE-2023-1436
> CVE-2023-1436:- An infinite recursion is triggered in Jettison when 
> constructing a JSONArray from a Collection that contains a self-reference in 
> one of its elements. This leads to a StackOverflowError exception being 
> thrown.
> CVSSv3 Score:- 7.5(High)
> Affected Version:- upto 1.5.4(excluding)
> [https://nvd.nist.gov/vuln/detail/CVE-2023-1436]
> [Scan 
> Report|https://platform-security-api.rke-us-west.kc.cloudera.com/v1/dependency_check/report/cdh/7.2.17.0?output_format=html#]
> [Jar 
> Report|https://cloudera-build-us-west-1.vpc.cloudera.com/s3/build/39453981/ASSEMBLY_REPORT/centos7/REPORTS/jar_report.html#jdom]



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Updated] (TEZ-4485) Tez - Upgrade jettison to 1.5.4 due to CVE-2023-1436

Reply via email to