Aaron Coady created TINKERPOP-2678:
--------------------------------------
Summary: jackson-databind medium security issue identified
Key: TINKERPOP-2678
URL: https://issues.apache.org/jira/browse/TINKERPOP-2678
Project: TinkerPop
Issue Type: Bug
Components: server
Affects Versions: 3.5.0
Reporter: Aaron Coady
com.fasterxml.jackson.core_jackson-databind version 2.11.3 has this security
issue identified. The resolution is in versions 2.14, 2.13.1 and 2.12.6
[https://github.com/FasterXML/jackson-databind/issues/3328]
Issue summary:
jackson-databind in certain versions from 2.10 is vulnerable to DoS attack,
only when using JDK serialization to serialize, deserialize JsonNode values. An
attacker can provide a 4-byte length payload, with the value of
Integer.MAX_VALUE, that will cause the decoder to allocate a large buffer
leading to out of heap memory - especially so if the attacker manages to inject
multiple broken messages.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
