Uploaded image for project: 'RESTEasy'
  1. RESTEasy
  2. RESTEASY-2279

json-patch pulls in vulnerable guava


    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Major Major
    • 4.3.0.Final, 3.9.0.Final
    • None
    • None
    • None

      json-patch pulls in vulnerable guava
      json-patch 1.9 is from Nov 2014 - https://mvnrepository.com/artifact/com.github.fge/json-patch

      In WF guava version is overriden but in other projects this strict rules may not be applied or all the deps are not controlled.

      Info from snyk.io:

      Deserialization of Untrusted Data 
      Vulnerable module: com.google.guava:guava
      Introduced through: com.github.fge:json-patch@1.9
      Detailed paths
      Introduced through: org.jboss.resteasy:resteasy-jackson2-provider@4.1.0-SNAPSHOT › com.github.fge:json-patch@1.9 › com.github.fge:jackson-coreutils@1.6 › com.google.guava:guava@16.0.1
      com.google.guava:guava is a set of core libraries that includes new collection types (such as multimap and multiset,immutable collections, a graph library, functional types, an in-memory cache and more.
      Affected versions of this package are vulnerable to Deserialization of Untrusted Data.
      During deserialization, two Guava classes accept a caller-specified size parameter and eagerly allocate an array of that size:
      AtomicDoubleArray (when serialized with Java serialization)
      CompoundOrdering (when serialized with GWT serialization)
      An attacker may be able to send a specially crafted request which with then cause the server to allocate all it's memory, without validation whether the data size is reasonable.

            rhn-support-asoldano Alessio Soldano
            rsvoboda@redhat.com Rostislav Svoboda
            0 Vote for this issue
            3 Start watching this issue