-
Task
-
Resolution: Not an issue
-
Neutral
-
None
-
BOM 6.2.43
-
None
-
-
Empty show more show less
-
Empty show more show less
According to this notice:
FasterXML Jackson Core is vulnerable to a denial of service, caused by improper input validation by the StreamReadConstraints value field. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause the application to crash.
Notes
It doesn't look like we use StreamReadConstraints. Probably a false positive.
[INFO] | +- info.magnolia.webhooks:magnolia-webhooks-core:jar:1.0.2:compile [INFO] | | +- org.antlr:antlr4-runtime:jar:4.9.2:compile [INFO] | | +- com.fasterxml.jackson.core:jackson-core:jar:2.13.5:compile
—
The issue looks indeed like a false positive:
- the daily CVE check based on https://nvd.nist.gov/ used by Magnolia hasn't reported jackson-core 2.13.5 as vulnerable so far
- there is no such vulnerable class com/fasterxml/jackson/core/StreamReadConstraints.java in the branch used by Magnolia, as the class was introduced in a later version (2.15)
Acceptance criteria