WS-2018-0125 (Medium) detected in multiple libraries - autoclosed

[mend-bolt-for-github]

WS-2018-0125 - Medium Severity Vulnerability

Vulnerable Libraries - jackson-core-2.5.4.jar, jackson-core-2.5.1.jar, jackson-core-2.2.3.jar, jackson-core-2.0.5.jar, jackson-core-2.6.2.jar

jackson-core-2.5.4.jar

Core Jackson abstractions, basic JSON streaming API implementation

Library home page: https://github.com/FasterXML/jackson

Path to vulnerable library: madness/sub5/target/madness-sub5-2019.02.01/WEB-INF/lib/jackson-core-2.5.4.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.5.4/jackson-core-2.5.4.jar

Dependency Hierarchy:

• ❌ jackson-core-2.5.4.jar (Vulnerable Library)

jackson-core-2.5.1.jar

Core Jackson abstractions, basic JSON streaming API implementation

Library home page: https://github.com/FasterXML/jackson

Path to dependency file: madness/sub3/pom.xml

Path to vulnerable library: canner/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.5.1/jackson-core-2.5.1.jar,madness/sub3/target/madness-sub3-2019.02.01/WEB-INF/lib/jackson-core-2.5.1.jar

Dependency Hierarchy:

• ❌ jackson-core-2.5.1.jar (Vulnerable Library)

jackson-core-2.2.3.jar

Core Jackson abstractions, basic JSON streaming API implementation

Path to vulnerable library: madness/sub2/target/madness-sub2-2019.02.01/WEB-INF/lib/jackson-core-2.2.3.jar,canner/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.2.3/jackson-core-2.2.3.jar

Dependency Hierarchy:

• ❌ jackson-core-2.2.3.jar (Vulnerable Library)

jackson-core-2.0.5.jar

Core Jackson abstractions, basic JSON streaming API implementation

Path to vulnerable library: madness/sub1/target/madness-sub1-2019.02.01/WEB-INF/lib/jackson-core-2.0.5.jar,canner/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.0.5/jackson-core-2.0.5.jar

Dependency Hierarchy:

• ❌ jackson-core-2.0.5.jar (Vulnerable Library)

jackson-core-2.6.2.jar

Core Jackson abstractions, basic JSON streaming API implementation

Library home page: https://github.com/FasterXML/jackson-core

Path to vulnerable library: madness/ear/target/madness-ear-2019.02.01/jackson-core-2.6.2.jar,canner/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.6.2/jackson-core-2.6.2.jar

Dependency Hierarchy:

• ❌ jackson-core-2.6.2.jar (Vulnerable Library)

Found in HEAD commit: 032e0bc50a6a45a60e9aed1a5aae9530ad02548a

Vulnerability Details

OutOfMemoryError when writing BigDecimal In Jackson Core before version 2.7.7.
When enabled the WRITE_BIGDECIMAL_AS_PLAIN setting, Jackson will attempt to write out the whole number, no matter how large the exponent.

Publish Date: 2016-08-25

URL: WS-2018-0125

CVSS 2 Score Details (5.5)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://github.com/FasterXML/jackson-core/releases/tag/jackson-core-2.7.7

Release Date: 2016-08-25

Fix Resolution: com.fasterxml.jackson.core:jackson-core:2.7.7

---

Step up your Open Source Security Game with WhiteSource here

[mend-bolt-for-github]

ℹ️ This issue was automatically closed by WhiteSource because it is a duplicate of an existing issue: #682