You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tinkerpop.apache.org by "Stephen Mallette (Jira)" <ji...@apache.org> on 2022/03/30 18:38:00 UTC
[jira] [Closed] (TINKERPOP-2728) jackson-databind high security issue identified
[ https://issues.apache.org/jira/browse/TINKERPOP-2728?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Stephen Mallette closed TINKERPOP-2728.
---------------------------------------
Fix Version/s: 3.6.0
3.5.3
Assignee: Stephen Mallette
Resolution: Done
You sorta brought this up just in time. Ended up going to 2.13.2.2 for both 3.5.x and 3.6.0:
https://github.com/apache/tinkerpop/commit/663b6b93eb2c5c602a97f91da1f34c3b36e32680
Release for both is in process.
> jackson-databind high security issue identified
> -----------------------------------------------
>
> Key: TINKERPOP-2728
> URL: https://issues.apache.org/jira/browse/TINKERPOP-2728
> Project: TinkerPop
> Issue Type: Improvement
> Components: io
> Affects Versions: 3.5.2
> Reporter: Aaron Coady
> Assignee: Stephen Mallette
> Priority: Major
> Fix For: 3.6.0, 3.5.3
>
>
> A high severity vulnerability has been logged against jackson-databind. Below is the summary and link to the vulnerability. I see this is already resolved in issue 2678 for 3.6.0
> [https://issues.apache.org/jira/projects/TINKERPOP/issues/TINKERPOP-2678]
> Is this also included in 3.5.3? Do you have an eta on when this would release?
> Thanks for all your help
>
> +Vulnerability information:+
> jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects.
> [https://nvd.nist.gov/vuln/detail/CVE-2020-36518]
>
--
This message was sent by Atlassian Jira
(v8.20.1#820001)