(avro) Snyk Reports a Critical Vulnerability (org.codehaus.jackson:jackson-mapper-asl Improper Input Validation) -- NOT APPLICABLE (polymorphic deserialization)

FasterXML / jackson-dataformats-binary

Uber-project for standard Jackson binary format backends: avro, cbor, ion, protobuf, smile

Apache License 2.0

316 stars 136 forks source link

(avro) Snyk Reports a Critical Vulnerability (org.codehaus.jackson:jackson-mapper-asl Improper Input Validation) -- NOT APPLICABLE (polymorphic deserialization) #412

Closed tomthehumanmettle closed 1 year ago

tomthehumanmettle commented 1 year ago

Introduced through: com.fasterxml.jackson.dataformat:jackson-dataformat-avro@2.16.0-rc1 › org.apache.avro:avro@1.8.2 › org.codehaus.jackson:jackson-mapper-asl@1.9.13

Link to issue: https://app.snyk.io/vuln/SNYK-JAVA-ORGCODEHAUSJACKSON-3326362

cowtowncoder commented 1 year ago

Nothing we can do without figuring out how to upgrade to Avro 1.9.0 or later, see #167 f.ex.

This itself is dup of #187 so will close.

tomthehumanmettle commented 1 year ago

I don't think this should be closed, as the earlier issue does not mention the fact that a critically vulnerable transitive dependency is pulled in @cowtowncoder. I think this should remain open to provide visibility of this, as it's an issue that is going to prevent many organisations from using this lib due to security policies.

cowtowncoder commented 1 year ago

I disagree. The root problem is that we cannot update to a later version. Anyone looking for specific vuln can find this one, even if closed.

Also: vulnerability is also non-applicable, as usual (vast majority of vulns/cves are non-applicable based on my experience) -- it only affects Polymorphic Deserialization, none of which is used by Avro format module or apache avro library.