Update dependency com.fasterxml.jackson.core:jackson-databind to v2.13.4.2 [SECURITY]#108
Open
renovate[bot] wants to merge 1 commit intomasterfrom
Conversation
renovate
bot
force-pushed
the
renovate/maven-com.fasterxml.jackson.core-jackson-databind-vulnerability
branch
from
e31913b to
566358b
Compare
renovate
bot
changed the title
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/maven-com.fasterxml.jackson.core-jackson-databind-vulnerability
branch
from
566358b to
147e2f4
Compare
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/maven-com.fasterxml.jackson.core-jackson-databind-vulnerability
branch
from
147e2f4 to
30b534d
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
2.13.2->2.13.4.2GitHub Vulnerability Alerts
CVE-2020-36518
jackson-databind is a data-binding package for the Jackson Data Processor. jackson-databind allows a Java stack overflow exception and denial of service via a large depth of nested objects.
CVE-2022-42004
In FasterXML jackson-databind before 2.12.7.1 and in 2.13.x before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. This issue can only happen when the
UNWRAP_SINGLE_VALUE_ARRAYSfeature is explicitly enabled.CVE-2022-42003
In FasterXML jackson-databind 2.4.0-rc1 until 2.12.7.1 and in 2.13.x before 2.13.4.2 resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. This was patched in 2.12.7.1, 2.13.4.2, and 2.14.0.
Commits that introduced vulnerable code are
FasterXML/jackson-databind@d499f2e, FasterXML/jackson-databind@0e37a39, and FasterXML/jackson-databind@7ba9ac5.
Fix commits are FasterXML/jackson-databind@cd09097 and FasterXML/jackson-databind@d78d00e.
The
2.13.4.1release does fix this issue, however it also references a non-existent jackson-bom which causes build failures for gradle users. See https://github.com/FasterXML/jackson-databind/issues/3627#issuecomment-1277957548 for details. This is fixed in2.13.4.2which is listed in the advisory metadata so that users are not subjected to unnecessary build failuresConfiguration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.