Devaspati Krishnatri created HIVE-27425:
-------------------------------------------
Summary: Upgrade Nimbus-JOSE-JWT to 9.24 due to CVEs coming from
json-smart
Key: HIVE-27425
URL: https://issues.apache.org/jira/browse/HIVE-27425
Project: Hive
Issue Type: Task
Reporter: Devaspati Krishnatri
Assignee: Devaspati Krishnatri
Nimbus-JOSE-JWT before 9.24 is using the vulnerable version of json-smart.
nimbus-jose-jwt has dropped the json-smart dependency completely with
nimbus-jose-jwt 9.24 and replaces it with *Gson 2.9.1 (shaded),* as seen in the
commit history here:
[https://bitbucket.org/connect2id/nimbus-jose-jwt/commits/tag/9.24].
Json-smart before 2.4.9 is affected by CVE-2023-1370
CVE-2023-1370 - [Json-smart]([https://netplex.github.io/json-smart/]) is a
performance focused, JSON processor lib. When reaching a '[' or '{' character
in the JSON input, the code parses an array or an object respectively. It was
discovered that the code does not have any limit to the nesting of such arrays
or objects. Since the parsing of nested arrays and objects is done recursively,
nesting too many of them can cause a stack exhaustion (stack overflow) and
crash the software.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
