[GHSA-jjjh-jjxp-wpff] Uncontrolled Resource Consumption in Jackson-databind

[astashys]

Updates

• Affected products

Comments
it seems like CVE-2022-42003 was fixed in jackson-databind with version 2.13.4.1 (12-Oct-2022) according to the release notes: https://github.com/FasterXML/jackson-databind/blob/04a6719805a26b4e5699285b7110ec1bfd655365/release-notes/VERSION-2.x#L561

[darakian]

I believe your change is technically correct, but 2.13.4.1 seems to have a build issue that causes failures for gradle users
see:
FasterXML/jackson-databind#3590
FasterXML/jackson-databind#3627

Given the minor differences between 2.13.4.1 and 2.13.4.2 I think it makes more sense that 2.13.4.2 is delivered as the suggested update target so that gradle users are not subject to broken builds. Thoughts?

[astashys]

The reason for my request is to eliminate the difference between databases.
Having different severities in different databases is common, but having different information about which versions are vulnerable is inconvenient when using different scanning tools.
Snyk says 2.13.4.1 is not vulnerable but Grype says it is vulnerable.
In our case, our partner using Snyk was confident that his application didn't contain vulnerable 3rd party dependencies and delivered a release but we got different results using Grype.
In the opposite case, I would ask Snyk to revise the versions but in this particular case, it seems technically correct to make changes here.
I hope consistency is a good reason to make the change.

[darakian]

Definitely a fair reason to raise the concern, but we're going to keep 2.13.4.2 as the first fixed version so that we do not impose an unnecessarily bad experience on gradle users. We've done similar things in the past as well
ex. #4714

Forcing bad user experience in exchange for a minor technical correction is not a good trade off. That said, I will add some language to the advisory to make this more clear.