[Security] Bump jackson-databind from 2.13.3 to 2.13.4.2 (!6) · Merge requests · eliatra-suite / TLS Tool

dependabot requested to merge dependabot-maven-com.fasterxml.jackson.core-jackson-databind-2.13.4.2 into master May 24, 2023

Bumps jackson-databind from 2.13.3 to 2.13.4.2. This update includes security fixes.

Vulnerabilities fixed

Uncontrolled Resource Consumption in FasterXML jackson-databind In FasterXML jackson-databind before 2.12.7.1 and in 2.13.x before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization.

Patched versions: 2.13.4 Affected versions: >= 2.13.0, < 2.13.4

Uncontrolled Resource Consumption in Jackson-databind In FasterXML jackson-databind 2.12.0-rc1 until 2.12.7.1 and in 2.13.x before 2.13.4.1 resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. This was patched in 2.12.7.1, 2.13.4.1, and 2.14.0.

Patched versions: 2.13.4.1; 2.13.4.2 Affected versions: >= 2.13.0, = 2.13.0, < 2.13.4.2

Commits

See full diff in compare view

Dependabot commands

You can trigger Dependabot actions by commenting on this MR

$dependabot rebase will rebase this MR
$dependabot recreate will recreate this MR rewriting all the manual changes and resolving conflicts

[Security] Bump jackson-databind from 2.13.3 to 2.13.4.2

Merge request reports