[Snyk-dev] Fix for 72 vulnerabilities #39
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -21,12 +21,12 @@ | |
| <dependency> | ||
| <groupId>com.fasterxml.jackson.core</groupId> | ||
| <artifactId>jackson-core</artifactId> | ||
| <version>2.12.6</version> | ||
| </dependency> | ||
| <dependency> | ||
| <groupId>com.fasterxml.jackson.core</groupId> | ||
| <artifactId>jackson-databind</artifactId> | ||
| <version>2.12.6.1</version> | ||
|
There was a problem hiding this comment. Description: In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization. Relevant link: GHSA-rgv9-q543-rqg4 Severity: High There was a problem hiding this comment. Description: In FasterXML jackson-databind before versions 2.13.4.1 and 2.12.17.1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. Relevant link: GHSA-jjjh-jjxp-wpff Severity: High |
||
| </dependency> | ||
| <dependency> | ||
| <groupId>com.fasterxml.jackson.core</groupId> | ||
|
|
@@ -59,14 +59,14 @@ | |
| <dependency> | ||
| <groupId>org.hibernate</groupId> | ||
| <artifactId>hibernate-validator</artifactId> | ||
| <version>6.0.19.Final</version> | ||
|
There was a problem hiding this comment. Description: Hibernate Validator before 6.2.0 and 7.0.0, by default and depending how it is used, may interpolate user-supplied input in a constraint violation message with Expression Language. This could allow an attacker to access sensitive information or execute arbitrary Java code. Hibernate Validator as of 6.2.0 and 7.0.0 no longer interpolates custom constraint violation messages with Expression Language and strongly recommends not allowing user-supplied input in constraint violation messages. CVE-2020-5245 and CVE-2025-4428 are examples of related, downstream vulnerabilities involving Expression Language intepolation of user-supplied data. Relevant link: GHSA-7v6m-28jr-rg84 Severity: High |
||
| </dependency> | ||
|
|
||
| <!--vulnerable commons collections (deserialization) --> | ||
| <dependency> | ||
| <groupId>commons-collections</groupId> | ||
| <artifactId>commons-collections</artifactId> | ||
| <version>3.2.2</version> | ||
| </dependency> | ||
|
|
||
| </dependencies> | ||
|
|
||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Description: jackson-core contains core low-level incremental ("streaming") parser and generator abstractions used by Jackson Data Processor. In versions prior to 2.15.0, if a user parses an input file and it has deeply nested data, Jackson could end up throwing a StackoverflowError if the depth is particularly large. jackson-core 2.15.0 contains a configurable limit for how deep Jackson will traverse in an input document, defaulting to an allowable depth of 1000. jackson-core will throw a StreamConstraintsException if the limit is reached. jackson-databind also benefits from this change because it uses jackson-core to parse JSON inputs. As a workaround, users should avoid parsing input files from untrusted sources.
Relevant link: GHSA-h46c-h94j-95f3
Severity: High