Uploaded image for project: 'TinkerPop'
  1. TinkerPop
  2. TINKERPOP-2678

jackson-databind medium security issue identified

    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Closed
    • Major
    • Resolution: Fixed
    • 3.5.0
    • 3.6.0
    • server
    • None

    Description

      com.fasterxml.jackson.core_jackson-databind version 2.11.3 has this security issue identified. The resolution is in versions 2.14, 2.13.1 and 2.12.6

       

      https://github.com/FasterXML/jackson-databind/issues/3328

       

      Issue summary:

      jackson-databind in certain versions from 2.10 is vulnerable to DoS attack, only when using JDK serialization to serialize, deserialize JsonNode values. An attacker can provide a 4-byte length payload, with the value of Integer.MAX_VALUE, that will cause the decoder to allocate a large buffer leading to out of heap memory - especially so if the attacker manages to inject multiple broken messages.

      Attachments

        Activity

          People

            spmallette Stephen Mallette
            acoady Aaron Coady
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: