Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update dependency com.fasterxml.jackson.core:jackson-databind to v2.12.7.1 [SECURITY] #27

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

renovate[bot]
Copy link

@renovate renovate bot commented Mar 30, 2023

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
com.fasterxml.jackson.core:jackson-databind (source) 2.11.1 -> 2.12.7.1 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2022-42004

In FasterXML jackson-databind before 2.12.7.1 and in 2.13.x before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization.

CVE-2021-46877

jackson-databind 2.10.x through 2.12.x before 2.12.6 and 2.13.x before 2.13.1 allows attackers to cause a denial of service (2 GB transient heap usage per read) in uncommon situations involving JsonNode JDK serialization.

CVE-2022-42003

In FasterXML jackson-databind 2.4.0-rc1 until 2.12.7.1 and in 2.13.x before 2.13.4.2 resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. This was patched in 2.12.7.1, 2.13.4.2, and 2.14.0.

Commits that introduced vulnerable code are
FasterXML/jackson-databind@d499f2e, FasterXML/jackson-databind@0e37a39, and FasterXML/jackson-databind@7ba9ac5.

Fix commits are FasterXML/jackson-databind@cd09097 and FasterXML/jackson-databind@d78d00e.

The 2.13.4.1 release does fix this issue, however it also references a non-existent jackson-bom which causes build failures for gradle users. See https://github.com/FasterXML/jackson-databind/issues/3627#issuecomment-1277957548 for details. This is fixed in 2.13.4.2 which is listed in the advisory metadata so that users are not subjected to unnecessary build failures


Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot changed the title Update dependency com.fasterxml.jackson.core:jackson-databind to v2.12.7.1 [SECURITY] Update dependency com.fasterxml.jackson.core:jackson-databind to v2.12.7.1 [SECURITY] - autoclosed Jun 9, 2023
@renovate renovate bot closed this Jun 9, 2023
@renovate renovate bot deleted the renovate/maven-com.fasterxml.jackson.core-jackson-databind-vulnerability branch June 9, 2023 12:45
@renovate renovate bot changed the title Update dependency com.fasterxml.jackson.core:jackson-databind to v2.12.7.1 [SECURITY] - autoclosed Update dependency com.fasterxml.jackson.core:jackson-databind to v2.12.7.1 [SECURITY] Jun 9, 2023
@renovate renovate bot reopened this Jun 9, 2023
@renovate renovate bot restored the renovate/maven-com.fasterxml.jackson.core-jackson-databind-vulnerability branch June 9, 2023 17:03
@renovate renovate bot force-pushed the renovate/maven-com.fasterxml.jackson.core-jackson-databind-vulnerability branch from 094b58c to bc210c5 Compare June 9, 2023 17:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

0 participants