[GHSA-rgv9-q543-rqg4] Uncontrolled Resource Consumption in FasterXML jackson-databind - Githubissues

github / advisory-database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Creative Commons Attribution 4.0 International

1.72k stars 322 forks source link

[GHSA-rgv9-q543-rqg4] Uncontrolled Resource Consumption in FasterXML jackson-databind #4499

Closed SunBK201 closed 2 months ago

SunBK201 commented 4 months ago

Updates

Affected products

Comments According to Patch, this vulnerability was introduced from 2.4.0.

shelbyc commented 4 months ago

Hi @SunBK201, I have a question about the claim that the vulnerability was introduced in 2.4.0. Did you find that information at https://github.com/FasterXML/jackson-databind/blob/063183589218fec19a9293ed2f17ec53ea80ba88/release-notes/VERSION-2.x#L1885-L1890? I've noticed that https://security.snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-3038424 says that the vulnerability was introduced in 2.4.0, but the reference links there contain the same information as the reference links for GHSA-rgv9-q543-rqg4.

I checked https://github.com/FasterXML/jackson-databind/blob/jackson-databind-2.4.0/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializer.java and was unable to find the _deserializeFromArray function in the BeanDeserializer.java file in version 2.4.0.