sonatype-2022-6438 - Githubissues

Hi,

Our scanner detected the below issue in artifact oci-java-sdk-common-httpclient-jersey, which requires upgrading the jackson-core library to at least 2.15.0. Can you please upgrade the jackson packages to recent ones?

Description : Severity : Sonatype CVSS 3:7.5CVE CVSS 2.0:0.0

Weakness : Sonatype CWE:400

Source : Sonatype Data Research

Categories : Data

Explanation : The jackson-core package is vulnerable to a Denial of Service [DoS] attack. The methods in the classes listed below fail to restrict input size when performing numeric type conversions. A remote attacker can exploit this vulnerability by causing the application to deserialize data containing certain numeric types with large values. Deserializing many of the aforementioned objects may cause the application to exhaust all available resources, resulting in a DoS condition. : com/fasterxml/jackson/core/base/ParserBase.class

com/fasterxml/jackson/core/base/ParserMinimalBase.class com/fasterxml/jackson/core/util/TextBuffer.class

Detection : The application is vulnerable by using this component if it does not restrict user-supplied numeric input values prior to deserialization.

Recommendation : We recommend upgrading to a version of this component that is not vulnerable to this specific issue. Note:If this component is included as a bundled/transitive dependency of another component, there may not be an upgrade path. In this instance, we recommend contacting the maintainers who included the vulnerable package. Alternatively, we recommend investigating alternative components or a potential mitigating control.

Root Cause : jackson-core-2.13.1.jarcom/fasterxml/jackson/core/util/TextBuffer.class :[ , 2.15.0-rc1]

Advisories : Project:https: //github.com/FasterXML/jackson-core/pull/846

CVSS Details : Sonatype CVSS 3:7.5CVSS Vector:CVSS: 3.1/AV: N/AC: L/PR: N/UI: N/S: U/C: N/I: N/A: H

Thanks, Avner

oracle / oci-java-sdk

sonatype-2022-6438 #531