[jira] [Updated] (TEZ-4485) Upgrade jettison to 1.5.4 due to CVE-2023-1436

Mayank Kunwar (Jira) Mon, 03 Apr 2023 10:38:09 -0700


     [ 
https://issues.apache.org/jira/browse/TEZ-4485?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Mayank Kunwar updated TEZ-4485:
-------------------------------
    Summary: Upgrade jettison to 1.5.4 due to CVE-2023-1436  (was: Tez - 
Upgrade jettison to 1.5.4 due to CVE-2023-1436)

> Upgrade jettison to 1.5.4 due to CVE-2023-1436
> ----------------------------------------------
>
>                 Key: TEZ-4485
>                 URL: https://issues.apache.org/jira/browse/TEZ-4485
>             Project: Apache Tez
>          Issue Type: Improvement
>            Reporter: Mayank Kunwar
>            Assignee: Mayank Kunwar
>            Priority: Major
>
> Upgrade jettison to 1.5.4 due to CVE-2023-1436
> CVE-2023-1436:- An infinite recursion is triggered in Jettison when 
> constructing a JSONArray from a Collection that contains a self-reference in 
> one of its elements. This leads to a StackOverflowError exception being 
> thrown.
> CVSSv3 Score:- 7.5(High)
> Affected Version:- upto 1.5.4(excluding)
> [https://nvd.nist.gov/vuln/detail/CVE-2023-1436]
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Updated] (TEZ-4485) Upgrade jettison to 1.5.4 due to CVE-2023-1436

Reply via email to