search

OpenAPITools / jackson-databind-nullable

JsonNullable wrapper class and Jackson module to support meaningful null values
Apache License 2.0
103 stars 30 forks source link

Fix CVE-2023-35116 #58

Closed adam-sherpa6 closed 8 months ago

adam-sherpa6 commented 8 months ago

org.openapitools:jackson-databind-nullable:0.2.6 is affected

adam-sherpa6 commented 8 months ago

For added context, this is from an OWASP scan. The dependency tree is:

+--- org.openapitools:jackson-databind-nullable:0.2.6 | --- com.fasterxml.jackson.core:jackson-databind:2.14.0-rc2 | +--- com.fasterxml.jackson.core:jackson-annotations:2.14.0-rc2 | | --- com.fasterxml.jackson:jackson-bom:2.14.0-rc2 | | --- com.fasterxml.jackson.core:jackson-databind:2.14.0-rc2 (c) <--- this dependency is flagged here:

https://nvd.nist.gov/vuln/search/results?form_type=Advanced&results_type=overview&search_type=all&cpe_vendor=cpe%3A%2F%3Afasterxml&cpe_product=cpe%3A%2F%3Afasterxml%3Ajackson-databind&cpe_version=cpe%3A%2F%3Afasterxml%3Ajackson-databind%3A2.14.0

adam-sherpa6 commented 8 months ago

Sorry for the noise. Per the link above, this may be a false positive:

"NOTE: the vendor's perspective is that this is not a valid vulnerability report, because the steps of constructing a cyclic data structure and trying to serialize it cannot be achieved by an external attacker."