search

aws / aws-msk-iam-auth

Enables developers to use AWS Identity and Access Management (IAM) to connect to their Amazon Managed Streaming for Apache Kafka (Amazon MSK) clusters.
Apache License 2.0
138 stars 65 forks source link

Reverting change to jackson databind as it broke shadowJar. #162

Closed sidyag closed 2 months ago

sidyag commented 2 months ago

Issue #, if available:

Description of changes: ShadowJar was broken because of the update to databind. Reverting it for now so we can release other changes.

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

regin64 commented 2 months ago

Hi @sidyag

Would you consider trying to upgrade to the latest 2.15.x or 2.16.x and see if still breaks ShadowJar? The current jackson databind version is pretty dated, and its compile dependency of jackson core introduces a rather high level of vulnerability that should be resolved, which is blocking us from adopting this tool. Thanks!

Details of the vulnerabilities:

+------------------+----------+------+---------------------------------------------+---------------+------------------------+-------------+------------+----------------------------------------------------+
|       CVE        | SEVERITY | CVSS |                   PACKAGE                   |    VERSION    |         STATUS         |  PUBLISHED  | DISCOVERED |                    DESCRIPTION                     |
+------------------+----------+------+---------------------------------------------+---------------+------------------------+-------------+------------+----------------------------------------------------+
| PRISMA-2023-0067 | high     | 7.50 | com.fasterxml.jackson.core_jackson-core     | 2.14.1        | fixed in 2.15.0        | > 11 months | < 1 hour   | com.fasterxml.jackson.core_jackson-core package    |
|                  |          |      |                                             |               | > 11 months ago        |             |            | versions before 2.15.0 are vulnerable to Denial    |
|                  |          |      |                                             |               |                        |             |            | of Service (DoS). The package does not properly    |
|                  |          |      |                                             |               |                        |             |            | restri...                                          |
+------------------+----------+------+---------------------------------------------+---------------+------------------------+-------------+------------+----------------------------------------------------+
| CVE-2023-35116   | medium   | 4.70 | com.fasterxml.jackson.core_jackson-databind | 2.14.1        | fixed in 2.16.0        | > 9 months  | < 1 hour   | jackson-databind through 2.15.2 allows attackers   |
|                  |          |      |                                             |               | > 5 months ago         |             |            | to cause a denial of service or other unspecified  |
|                  |          |      |                                             |               |                        |             |            | impact via a crafted object that uses cyclic       |
|                  |          |      |                                             |               |                        |             |            | depend...                                          |