Bumps fastjson from 1.2.76 to 1.2.83.

alibaba / bulbasaur

💡 A pluggable, scalable process engine. You can use it to develop business-process, approval-process, retry-process and so on. Hope you enjoy it! 💖 可插拔的精简流程引擎，可快速实现流程、审批、业务失败重试等场景。

Apache License 2.0

750 stars 241 forks source link

Bumps fastjson from 1.2.76 to 1.2.83. #21

Open ZapBird opened 2 years ago

ZapBird commented 2 years ago

Bumps fastjson from 1.2.76 to 1.2.83. To fix CVE-2022-25845: The package com.alibaba:fastjson before 1.2.83 are vulnerable to Deserialization of Untrusted Data by bypassing the default autoType shutdown restrictions, which is possible under certain conditions. Exploiting this vulnerability allows attacking remote servers. Workaround: If upgrading is not possible, you can enable [safeMode]

CLAassistant commented 2 years ago

All committers have signed the CLA.

ZapBird commented 2 years ago

Fix CVE-2022-25845. CVE-2022-25845: The package com.alibaba:fastjson before 1.2.83 are vulnerable to Deserialization of Untrusted Data by bypassing the default autoType shutdown restrictions, which is possible under certain conditions. Exploiting this vulnerability allows attacking remote servers. Workaround: If upgrading is not possible, you can enable [safeMode]