Details
-
Bug
-
Status: Closed (View Workflow)
-
P3
-
Resolution: Done
-
None
-
-
0
-
Folijet
-
Lotus R1 2022
-
Not a bug
Description
mod-source-record-manager-server uses jackson-databind 2.10.* that is vulnerable to this Denial-of-Service vulnerability:
- Affected versions of jackson-databind are vulnerable to Denial of Service (DoS) when using JDK serialization to serialize and deserialize JsonNode values.
- https://security.snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-2326698
- https://github.com/FasterXML/jackson-databind/issues/3328
Affected jackson-databind versions: < 2.12.6, 2.13.0
mod-source-record-manager-server (all versions <= 3.2.7) currently uses unsupported jackson-databind 2.10.*.
FOLIO modules use JsonNode in at least 36 files: https://github.com/search?q=org%3Afolio-org+jsonnode&type=code
Task:
Either
- fix by removing or updating kafka-junit (see
MODSOURMAN-636), or - investigate how mod-source-record-manager-server is affected by this vulnerability and explain why it is not affected.
TestRail: Results
Attachments
Issue Links
- defines
-
UXPROD-3262 NFR: Data Import R1 2022 Lotus Technical, NFR, & Misc work
-
- Closed
-
- relates to
-
MODSOURMAN-636 jackson-databind 2.10 has been closed but is required by kafka-junit
-
- Closed
-
-
-
- Closed
-