Open Poojitha-R-Rao opened 4 days ago
@Poojitha-R-Rao is there a CVE associated with this PRISMA report?
The vulnerability description is too generic to understand if the SDK is impacted.
@debora-ito - No, we do not have a direct CVE, but we have references from other places (please find links below). Our twistlock scans revealed this. Please upgrade jackson-core to the latest. https://github.com/DataDog/dd-trace-java/issues/5844 https://github.com/zendesk/maxwell/issues/2013 https://lists.apache.org/thread/foz49f5nqt6splrhpc21okqkfgpyz68r https://security.snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-3038426
Upcoming End-of-Support
Describe the bug
aws-sdk-bundle-1.12.755.jar and all the prior versions use jackson-core version 2.12.7, which is vulnerable as per below description.
PRISMA-2023-0067 - Description: com.fasterxml.jackson.core_jackson-core package versions before 2.15.0 are vulnerable to Denial of Service (DoS). The package does not properly restrict the size or amount of resources that are requested or influenced by an actor, which can be used to consume more resources than intended and leads to Uncontrolled Resource Consumption (\'Resource Exhaustion\').
Please help to upgrade jackson core to the latest version 2.17.1
Expected Behavior
N/A
Current Behavior
N/A
Reproduction Steps
N/A
Possible Solution
No response
Additional Information/Context
No response
AWS Java SDK version used
aws-sdk-bundle-1.12.755
JDK version used
openjdk version "11.0.23"
Operating System and version
N/A