Known vulnerability with current version of the Jackson library

Question

Known vulnerability with current version of the Jackson library

Skullper opened this issue 3 years ago · 4 comments

My project cannot be approved by security team because of the known vulnerability with the Jackson library version used in dropbox sdk.
The problem with WRITE_BIGDECIMAL_AS_PLAIN setting. If this setting is enabled the Jackson will attempt to write out the whole number, no matter how large the exponent. The following sample code will trigger an out of memory exception:

ObjectMapper mapper = new ObjectMapper().enable(JsonGenerator.Feature.WRITE_BIGDECIMAL_AS_PLAIN);
mapper.writeValueAsString(new java.math.BigDecimal("9.223372E+1010671858"));

I'm not sure if your sdk using this setting, but there is no guarantees that it won't used in future. The recommendation from security team was to update the Jackson library to 2.7.7 or higher.

Can I hope that jackson library will be updated in later releases of the sdk?

Answer 1 · 2022-01-19T15:22:59.000Z

Thanks for letting us know! I can't make any promises myself, but I'm raising this with the team to see if we can get that dependency version raised.

Answer 2 · 2022-01-20T15:46:08.000Z

Good news, we've bumped that dependency version, so that change should be in the next release.

Answer 3 · 2022-01-20T20:42:24.000Z

@greg-db I'm grateful for such a quick response. Will be waiting patiently for a new release

Answer 4 · 2022-04-06T16:05:05.000Z

The updated dependency is now included in the new release v5.2.0.