Is jackson 2.13.x going to receive a patch for CVE-2022-42003?

[jsadn]

I wanted to inquire whether 2.13 is vulnerable to CVE-2022-42003 (dependabot indicates so) and whether a patch will be back ported.

[pjfanning]

Do you enable the non-default UNWRAP_SINGLE_VALUE_ARRAYS setting? If not, you are unaffected by that CVE.

[cowtowncoder]

No plans for backporting at this point.

EDIT: the main reason for not backporting is since this is technically behavioral change that could break some usage; specifically if some code assumes that multiple nested Arrays may be used (and unwrapped). Since the likelihood seems small (and there being a security issue) I am comfortable changing this -- without any way to to use old behavior -- in a minor release, but less so in a patch.

[pinpan]

Hello,

Do you have plans to release 2.14 or 3.0 with a fix for CVW-2022-42003?

Pavlin

[pjfanning]

2.14.0 will be released when it is ready - probably within a few weeks

[pinpan]

Thank you for the swift response!

Could you be a bit more specific on the few weeks, please?
Should we count on a few like 3 or 4 or significantly more?
We just need to know how to proceed with the situation on our side.

Thanks!

[cowtowncoder]

@pinpan This is a volunteer project with variable time to spend on fixes AND releases (full release takes 3-4 hours).

But I do hope to get 2.14.0 released by end of October so yes, 3-4 weeks.
Things may change if more issues were found but this is my best current estimate.

[pinpan]

@cowtowncoder, thank you for the confirmation!

[jsadn]

thanks!

[cowtowncoder]

Ok, I may have changed my mind, with a little bit of help from my friends:

FasterXML/jackson-databind#3621

which would go in 2.13.4.1 micro-patch of jackson-databind.

[jsadn]

yay! TYSM

[cowtowncoder]

No problem @jsadn. In the end this made lots of sense.