CVE-2022-42003 Jackson vulnerability #31277
Labels
Azure.Core
azure-core
tracking-external-issue
The issue is caused by external problem (e.g. OS) - nothing we can do to fix it directly
Comments
alzimmermsft
added
Azure.Core
|
Closing as the latest versions of the SDKs use a version of Jackson where this has been resolved. |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
This is an issue for tracking CVE-2022-42003 where Jackson Databind versions, at the time of writing this issue on Oct 5th, below
2.14.0-rc1can run into resource exhaustion ifUNWRAP_SINGLE_VALUE_ARRAYSis enabled in anObjectMapper. This issue also follows FasterXML/jackson-databind#3590 to see if a fix will be backported to Jackson Databind 2.13.In addition to tracking, this issue is meant to be informational and explain that the Azure SDKs for Java do not enable
UNWRAP_SINGLE_VALUE_ARRAYSwhen usingObjectMapper, therefore aren't affected by the CVE. Unfortunately, since there is no upgrade path forward at this time, the SDKs cannot ship GAs depending on RCs/betas, users of the SDKs may have OWASP and other CVE checking tools flagging their projects as affected by the CVE.Once there is a version available for the SDKs to upgrade to that doesn't have the CVE this issue will be closed after upgrading.
The text was updated successfully, but these errors were encountered: