Uploaded image for project: 'Apache Tez'
  1. Apache Tez
  2. TEZ-4485

Upgrade jettison to 1.5.4 due to CVE-2023-1436

    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • None
    • 0.10.3
    • None
    • None

    Description

      Upgrade jettison to 1.5.4 due to CVE-2023-1436

      CVE-2023-1436:- An infinite recursion is triggered in Jettison when constructing a JSONArray from a Collection that contains a self-reference in one of its elements. This leads to a StackOverflowError exception being thrown.

      CVSSv3 Score:- 7.5(High)

      Affected Version:- upto 1.5.4(excluding)

      https://nvd.nist.gov/vuln/detail/CVE-2023-1436

       

      Attachments

        Issue Links

          links to

          Web Link GitHub Pull Request #279

          Activity

            People

              mkunwar Mayank Kunwar
              mkunwar Mayank Kunwar
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0h
                  0h
                  Logged:
                  Time Spent - 40m
                  40m