Denial Of Service (DoS) Vulnerability in the Jackson-core library(2.7.9) #491
Assignees
Comments
|
Thanks for the report! I'll ask the team to update this. |
|
hi, @devPalacio , I see in the linked pr it is trying to upgrade the jackson-core to 2.8.6, and not the latest version 2.14.x, is there any reason not bump to the latest. |
|
@scottme, I had some flakes with our integration tests, and was trying to ensure that it wasn't related to a change in the library. The new release will have jackson-core 2.15.0 |
|
This is updated in v5.4.5. Thanks all. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
jackson-core is vulnerable to denial of service (DoS) attacks. The vulnerability is triggered when jackson-core reports an invalid token which has a word of length 10MB. It prints out the token to
server.logfile without limitingmaxTokenLengthto 256 bytes. This can cause a denial of service condition by filling up the disk space available.This issue was fixed in version 2.8.6.
This is the vulnerability summary from veracode. https://sca.analysiscenter.veracode.com/vulnerability-database/security/sca/vulnerability/sid-2857/summary
The text was updated successfully, but these errors were encountered: