Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

(question about #3972) #3997

Closed
patpatpat123 opened this issue Jun 19, 2023 · 2 comments
Closed

(question about #3972) #3997

patpatpat123 opened this issue Jun 19, 2023 · 2 comments
Labels
to-evaluate Issue that has been received but not yet evaluated

Comments

@patpatpat123
Copy link

Describe the bug
All versions of jackson databind, up to 2.15.x contains CVE.

Version information
I am currently using 2.15.0 which SpringBoot pulls, but even with 2.15.2, it is reproducible.

To Reproduce
Just go to Josh's second favorite place, pull a dummy project with SpringBoot 3.1.0 (which contains Jackson) and the issue is reproducible.

Expected behavior
Jackson will not contain CVE

Additional context

[INFO] +- org.springframework.data:spring-data-elasticsearch:jar:5.2.0-SNAPSHOT:compile
[INFO] |  +- org.springframework:spring-context:jar:6.0.9:compile
[INFO] |  |  +- org.springframework:spring-aop:jar:6.0.9:compile
[INFO] |  |  +- org.springframework:spring-beans:jar:6.0.9:compile
[INFO] |  |  \- org.springframework:spring-expression:jar:6.0.9:compile
[INFO] |  +- org.springframework:spring-tx:jar:6.0.9:compile
[INFO] |  +- org.springframework.data:spring-data-commons:jar:3.1.0:compile
[INFO] |  +- co.elastic.clients:elasticsearch-java:jar:8.7.1:compile
[INFO] |  |  +- com.google.code.findbugs:jsr305:jar:3.0.2:compile
[INFO] |  |  +- jakarta.json:jakarta.json-api:jar:2.1.1:compile
[INFO] |  |  \- org.eclipse.parsson:parsson:jar:1.0.0:compile
[INFO] |  +- org.elasticsearch.client:elasticsearch-rest-client:jar:8.7.1:compile
[INFO] |  |  +- org.apache.httpcomponents:httpclient:jar:4.5.13:compile
[INFO] |  |  +- org.apache.httpcomponents:httpcore:jar:4.4.16:compile
[INFO] |  |  +- org.apache.httpcomponents:httpasyncclient:jar:4.1.5:compile
[INFO] |  |  +- org.apache.httpcomponents:httpcore-nio:jar:4.4.16:compile
[INFO] |  |  \- commons-codec:commons-codec:jar:1.15:compile
[INFO] |  +- com.fasterxml.jackson.core:jackson-core:jar:2.15.0:compile
[INFO] |  +- com.fasterxml.jackson.core:jackson-databind:jar:2.15.0:compile
[INFO] |  |  \- com.fasterxml.jackson.core:jackson-annotations:jar:2.15.0:compile

jackson-databind-2.15.0.jar (pkg:maven/com.fasterxml.jackson.core/[email protected], cpe:2.3:a:fasterxml:jackson-databind:2.15.0:*:*:*:*:*:*:*, cpe:2.3:a:fasterxml:jackson-modules-java8:2.15.0:*:*:*:*:*:*:*) : CVE-2023-35116


See the dependency-check report for more details.

Could you please help fix the CVE?

Thank you very much.

P.S: This is my first issue in this repository, if not anything else, many thanks for this very cool project.
@patpatpat123 patpatpat123 added the to-evaluate Issue that has been received but not yet evaluated label Jun 19, 2023
@yawkat
Copy link
Member

yawkat commented Jun 19, 2023

Please see the comments on the associated issue: #3972

This is not a security bug, the CVE has been wrongly assigned. By the same logic, Map.hashCode is "vulnerable".

@cowtowncoder
Copy link
Member

CVE-2023-35116 is invalid, we do not consider it legit report.

@ghillert ghillert mentioned this issue Jun 26, 2023
Closed
@cowtowncoder cowtowncoder changed the title jackson-databind-2.15.0.jar (pkg:maven/com.fasterxml.jackson.core/[email protected], cpe:2.3:a:fasterxml:jackson-databind:2.15.0:*:*:*:*:*:*:*, cpe:2.3:a:fasterxml:jackson-modules-java8:2.15.0:*:*:*:*:*:*:*) : CVE-2023-35116 (question about #3972) Oct 2, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
to-evaluate Issue that has been received but not yet evaluated
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@cowtowncoder @yawkat @patpatpat123