[GHSA-72hv-8253-57qq] jackson-core: Number Length Constraint Bypass in Async Parser Leads to Potential DoS Condition#7271
Conversation
|
Hi there @cowtowncoder! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository. This change will be reviewed by our Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory |
github-actions
bot
changed the base branch from
main
to
awsactran/advisory-improvement-7271
| { | ||
| "package": { | ||
| "ecosystem": "Maven", | ||
| "name": "tools.jackson.core:jackson-core" |
There was a problem hiding this comment.
These are wrong way around: com.fasterxml.jackson is for 2.x; tools.jackson for 3.x
cowtowncoder
left a comment
cowtowncoder
left a comment
There was a problem hiding this comment.
These package ids are wrong way around: com.fasterxml.jackson is for 2.x; tools.jackson for 3.x -- should not remove section but fix in both cases.
3 participants
Updates
Comments
The 3.x versions belong to tools.jackson.core:jackson-core (different Maven namespace). The vendor advisory (GHSA-72hv-8253-57qq) does NOT list the 3.x range for com.fasterxml.jackson.core.