-
Bug
-
Resolution: Done
-
Major
-
None
-
None
-
None
json-patch pulls in vulnerable guava
json-patch 1.9 is from Nov 2014 - https://mvnrepository.com/artifact/com.github.fge/json-patch
In WF guava version is overriden but in other projects this strict rules may not be applied or all the deps are not controlled.
Info from snyk.io:
Deserialization of Untrusted Data Vulnerable module: com.google.guava:guava Introduced through: com.github.fge:json-patch@1.9 Detailed paths Introduced through: org.jboss.resteasy:resteasy-jackson2-provider@4.1.0-SNAPSHOT › com.github.fge:json-patch@1.9 › com.github.fge:jackson-coreutils@1.6 › com.google.guava:guava@16.0.1 Overview com.google.guava:guava is a set of core libraries that includes new collection types (such as multimap and multiset,immutable collections, a graph library, functional types, an in-memory cache and more. Affected versions of this package are vulnerable to Deserialization of Untrusted Data. During deserialization, two Guava classes accept a caller-specified size parameter and eagerly allocate an array of that size: AtomicDoubleArray (when serialized with Java serialization) CompoundOrdering (when serialized with GWT serialization) An attacker may be able to send a specially crafted request which with then cause the server to allocate all it's memory, without validation whether the data size is reasonable.
