Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade jackson-jr-objects to 2.15.0 or higher to remediate DDoS vulnerability #193

Open
abiskop opened this issue Dec 27, 2024 · 1 comment
Open

Upgrade jackson-jr-objects to 2.15.0 or higher to remediate DDoS vulnerability #193

abiskop opened this issue Dec 27, 2024 · 1 comment
Assignees
@KarstenSchnitter

Comments

@abiskop
Copy link

abiskop commented Dec 27, 2024

Release cf-java-logging-support-log4j2: 3.8.4 transitively depends on jackson-core: 2.14.2:

[INFO] |  +- com.sap.hcp.cf.logging:cf-java-logging-support-log4j2:jar:3.8.4:compile
[INFO] |  |  \- com.sap.hcp.cf.logging:cf-java-logging-support-core:jar:3.8.4:compile
[INFO] |  |     \- com.fasterxml.jackson.jr:jackson-jr-objects:jar:2.14.2:compile
[INFO] |  |        \- com.fasterxml.jackson.core:jackson-core:jar:2.14.2:compile

Library jackson-core: 2.14.2 contains a DDoS vulnerability, see e.g.: https://security.snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-7569538

Please consider upgrading to 2.15.0 or higher.
@KarstenSchnitter
Copy link
Contributor

Thanks, for raising this issue. Note, that the vulnerability is during deserialization of JSON data. This library uses jackson only for serialization. Nevertheless, I will upgrade the dependency and create a new library version soon.

@KarstenSchnitter KarstenSchnitter self-assigned this Dec 31, 2024
KarstenSchnitter added a commit that referenced this issue Jan 28, 2025
@KarstenSchnitter
Upgrade Jackson to v2.18.2
4eb6091 
addresses #193

Signed-off-by: Karsten Schnitter <[email protected]>
@KarstenSchnitter KarstenSchnitter mentioned this issue Jan 28, 2025
Merged
KarstenSchnitter added a commit that referenced this issue Jan 28, 2025
@KarstenSchnitter
Upgrade Jackson to v2.18.2 (#194)
2becc28 
addresses #193

Signed-off-by: Karsten Schnitter <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@KarstenSchnitter KarstenSchnitter

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@KarstenSchnitter @abiskop