CVE-2023-35116

[IlanaVek]

Hello,
New issue discovered in Mend for current lates jackson-databind 2.15.2
https://www.mend.io/vulnerability-database/CVE-2023-35116
Do you have a plans for fix release?
Thanks

[pjfanning]

@IlanaVek could you tell us how you are affected by this?

We did not request this CVE. It is still being analysed by the CVE issue authority. Jackson's behaviour could be improved in this area but we don't see how a malicious actor can cause the Stackoverflow. Only a trusted developer could write code that would cause this to happen. If they write basic unit tests, they would catch it. In short, we don't think this CVE should be issued and hopefully will try to get it removed.

If you read FasterXML/jackson-databind#3972 (comment) - you will see that even JDK methods like hashCode can cause similar issues with similarly nested structures. Are we going to start issuing CVEs

[IlanaVek]

Hi @pjfanning thank you very much for the explanation.
Our code scans by mend failed on this .
But your explanations are enough for me.