You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tinkerpop.apache.org by "Stephen Mallette (Jira)" <ji...@apache.org> on 2022/03/30 18:38:00 UTC

[jira] [Closed] (TINKERPOP-2728) jackson-databind high security issue identified

     [ https://issues.apache.org/jira/browse/TINKERPOP-2728?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Stephen Mallette closed TINKERPOP-2728.
---------------------------------------
    Fix Version/s: 3.6.0
                   3.5.3
         Assignee: Stephen Mallette
       Resolution: Done

You sorta brought this up just in time. Ended up going to 2.13.2.2 for both 3.5.x and 3.6.0:

https://github.com/apache/tinkerpop/commit/663b6b93eb2c5c602a97f91da1f34c3b36e32680

Release for both is in process. 

> jackson-databind high security issue identified
> -----------------------------------------------
>
>                 Key: TINKERPOP-2728
>                 URL: https://issues.apache.org/jira/browse/TINKERPOP-2728
>             Project: TinkerPop
>          Issue Type: Improvement
>          Components: io
>    Affects Versions: 3.5.2
>            Reporter: Aaron Coady
>            Assignee: Stephen Mallette
>            Priority: Major
>             Fix For: 3.6.0, 3.5.3
>
>
> A high severity vulnerability has been logged against jackson-databind. Below is the summary and link to the vulnerability. I see this is already resolved in issue 2678 for 3.6.0
> [https://issues.apache.org/jira/projects/TINKERPOP/issues/TINKERPOP-2678]
> Is this also included in 3.5.3? Do you have an eta on when this would release?
> Thanks for all your help
>  
> +Vulnerability information:+
> jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects.
> [https://nvd.nist.gov/vuln/detail/CVE-2020-36518]
>  



--
This message was sent by Atlassian Jira
(v8.20.1#820001)