Presto JDBC driver needs to upgrade Jackson libraries to 2.16.0 due to various CVE's #21717
Labels
Comments
github-project-automation
bot
moved this to 🆕 Unprioritized
in Bugs and support requests
|
hi @dqmdev - we'd be happy for you to open up a PR if you'd like to work on this and contribute it back to the community. |
|
Resolved with this PR upgrading the Jackson dependencies: #23753 Also, GHSA-gx6w-fqg7-mc3p says that versions up to 2.15.2 are vulnerable so 2.15.4 should be fine. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Latest Presto JDBC driver (0.285) appears to still be using Jackson 2.10, which is old.
There are several well-publicized CVE's against this version of Jackson, notably:
com.fasterxml.jackson.core_jackson-core package versions before 2.15.0 are vulnerable to Denial of Service (DoS).
PRISMA-2023-0067
Add numeric value size limits via
StreamReadConstraints(fixessonatype-2022-6438) -- default 1000 chars FasterXML/jackson-core#827PRISMA-2023-0068
Trim tokens in error messages to 256 byte to prevent attacks FasterXML/jackson-core#322
PRISMA-2023-0069
OutOfMemoryErrorwhen writing BigDecimal FasterXML/jackson-core#315CVE-2023-35116: jackson-databind is vulnerable to denial of service, fixed in Jackson 2.16.0
https://nvd.nist.gov/vuln/detail/CVE-2023-35116
The text was updated successfully, but these errors were encountered: