computate opened a new pull request, #440: URL: https://github.com/apache/curator/pull/440
This commit upgrades the jackson-core and jackson-databind dependencies to 2.14.0. The following vulnerabilities are resolved with this commit: - [CVE-2022-42004] In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization. - [CVE-2022-42003] In FasterXML jackson-databind before 2.14.0-rc1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. Additional fix version in 2.13.4.1 and 2.12.17.1 - [CVE-2020-36518] jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects. - [CVE-2020-25649] A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly. This flaw allows vulnerability to XML external entity (XXE) attacks. The highest threat from this vulnerability is data integrity. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@curator.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
