Upgrade JDBC driver to Jackson 2.16.0 due to 2.15.0 being vulnerable to Denial of Service (CVE-2023-35116)

aws / amazon-redshift-jdbc-driver

Redshift JDBC Driver. It supports JDBC 4.2 specification.

Apache License 2.0

63 stars 31 forks source link

Upgrade JDBC driver to Jackson 2.16.0 due to 2.15.0 being vulnerable to Denial of Service (CVE-2023-35116) #105

Closed dqmdev closed 9 months ago

dqmdev commented 10 months ago

Current driver build uses Jackson 2.15.0

Please review and rebuild with Jackson 2.16.0. and update public page at https://docs.aws.amazon.com/redshift/latest/mgmt/jdbc20-download-driver.html

CVE-2023-35116: jackson-databind through 2.15.2 allows attackers to cause a denial of service or other unspecified impact via a crafted object that uses cyclic dependencies. Fixed in 2.16.0

bhvkshah commented 10 months ago

Thanks for bringing this to our attention @dqmdev . Will take a look and possibly include in the next release of the driver.

bhvkshah commented 9 months ago

fixed in version 2.1.0.26