Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

update jackson-databind to fix CVE-2020-36518 #567

Closed
zz-jason opened this issue Mar 24, 2022 · 1 comment · Fixed by #584
Closed

update jackson-databind to fix CVE-2020-36518 #567

zz-jason opened this issue Mar 24, 2022 · 1 comment · Fixed by #584
Assignees
@iosmanthus
Labels
severity/critical type/bug Something isn't working

Comments

@zz-jason
Copy link
Member

Bug Report

1. Describe the bug

jackson-databind is a data-binding package for the Jackson Data Processor. jackson-databind allows a Java stack overflow exception and denial of service via a large depth of nested objects. There is currently no workaround but a patch will be available in version 2.14.

CVE ID: CVE-2020-36518

2. Minimal reproduce step (Required)

N/A

3. What did you see instead (Required)

Screen Shot 2022-03-24 at 14 14 13

4. What did you expect to see? (Required)

5. What is your Java Client and TiKV version? (Required)

  • Client Java: latest(commit hash: 92fea32)
  • TiKV: N/A
@zz-jason zz-jason added type/bug Something isn't working severity/critical labels Mar 24, 2022
@zz-jason
Copy link
Member Author

waiting for the fix and newer release of jackson-databind, see FasterXML/jackson-databind#2816 for details.

@iosmanthus iosmanthus self-assigned this Mar 24, 2022
@zz-jason zz-jason changed the title update jackson-databind to fix the high severity issue: CVE-2020-36518 update jackson-databind to fix CVE-2020-36518 Mar 24, 2022
@iosmanthus iosmanthus mentioned this issue Apr 7, 2022
Merged
zz-jason pushed a commit that referenced this issue Apr 7, 2022
@iosmanthus
[close #567] upgrade jackson-databind to 2.13.2.2 to fix CVE-2020-36518
7fa24c3 
… (#584)
This was referenced Apr 7, 2022
Merged
Merged
zz-jason pushed a commit that referenced this issue Apr 7, 2022
@ti-srebot @iosmanthus
[close #567] upgrade jackson-databind to 2.13.2.2 to fix CVE-2020-36518
d0a3218 
… (#584) (#585)

Co-authored-by: iosmanthus <[email protected]>
Co-authored-by: iosmanthus <[email protected]>
zz-jason pushed a commit that referenced this issue Apr 8, 2022
@ti-srebot @iosmanthus
[close #567] upgrade jackson-databind to 2.13.2.2 to fix CVE-2020-36518
058ba27 
… (#584) (#586)

Co-authored-by: iosmanthus <[email protected]>
iosmanthus added a commit that referenced this issue Apr 8, 2022
@ti-srebot @iosmanthus
[close #567] upgrade jackson-databind to 2.13.2.2 to fix CVE-2020-36518
b54d6c0 
… (#584) (#585)

Co-authored-by: iosmanthus <[email protected]>
Co-authored-by: iosmanthus <[email protected]>
iosmanthus added a commit to iosmanthus/client-java that referenced this issue May 30, 2022
@iosmanthus
[close tikv#567] upgrade jackson-databind to 2.13.2.2 to fix CVE-2020…
67ca6bf 
…-36518 (tikv#584)

Signed-off-by: iosmanthus <[email protected]>
@iosmanthus iosmanthus mentioned this issue May 30, 2022
Merged
sunxiaoguang pushed a commit that referenced this issue May 30, 2022
@iosmanthus
[close #567] upgrade jackson-databind to 2.13.2.2 to fix CVE-2020-36518
fed0826 
… (#584) (#605)

Signed-off-by: iosmanthus <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@iosmanthus iosmanthus

Labels
severity/critical type/bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[close #567] upgrade jackson-databind to 2.13.2.2 to fix CVE-2020-36518 iosmanthus/client-java
2 participants
@zz-jason @iosmanthus