[jira] [Resolved] (TEZ-4485) Upgrade jettison to 1.5.4 due to CVE-2023-1436

Jira Wed, 05 Apr 2023 01:12:35 -0700


     [ 
https://issues.apache.org/jira/browse/TEZ-4485?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


László Bodor resolved TEZ-4485.
-------------------------------
    Resolution: Fixed

> Upgrade jettison to 1.5.4 due to CVE-2023-1436
> ----------------------------------------------
>
>                 Key: TEZ-4485
>                 URL: https://issues.apache.org/jira/browse/TEZ-4485
>             Project: Apache Tez
>          Issue Type: Improvement
>            Reporter: Mayank Kunwar
>            Assignee: Mayank Kunwar
>            Priority: Major
>             Fix For: 0.10.3
>
>          Time Spent: 40m
>  Remaining Estimate: 0h
>
> Upgrade jettison to 1.5.4 due to CVE-2023-1436
> CVE-2023-1436:- An infinite recursion is triggered in Jettison when 
> constructing a JSONArray from a Collection that contains a self-reference in 
> one of its elements. This leads to a StackOverflowError exception being 
> thrown.
> CVSSv3 Score:- 7.5(High)
> Affected Version:- upto 1.5.4(excluding)
> [https://nvd.nist.gov/vuln/detail/CVE-2023-1436]
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Resolved] (TEZ-4485) Upgrade jettison to 1.5.4 due to CVE-2023-1436

Reply via email to