search

taoensso / nippy

The fastest serialization library for Clojure
https://www.taoensso.com/nippy
Eclipse Public License 1.0
1.04k stars 60 forks source link

CVE on tools-reader 1.4.2 #173

Closed slipset closed 4 months ago

slipset commented 5 months ago

nippy depends on tools-reader 1.4.2 which has a CVE on it, CVE-2017-20189.

This is the latest version of tools-reader, so I guess this is just a FYI.

ptaoussanis commented 5 months ago

@slipset Hi Erik, thanks for pinging about this. Just double-checking - did you link to the correct CVE there?

I believe that's a pretty old issue, and it's not obvious from the linked page that that has anything to do with tools.reader?

Back in 2020, Nippy did have a related vulnerability via the same mechanism (java.io.Serializable being susceptible to gadget chains).

The fix in Nippy's case was to switch to an explicit whitelist for Serializable classes.

It looks like this is maybe an old issue somehow getting dredged up, and being (incorrectly?) attributed to tools.reader? I may be missing something though.

ptaoussanis commented 4 months ago

Closing since from what I can tell, this alert appears to refer to an old (2017) CVE that would have been resolved by Nippy in 2020. Please feel free to reopen if I've misunderstood something and this still seems to be relevant.