Uploaded image for project: 'Talend Component Kit'
  1. Talend Component Kit
  2. TCOMP-2522

Upgrade johnzon to 1.2.21

Apply templateInsert Lucidchart Diagram
    XMLWordPrintable

Details

    • All
    • GreenHopper Ranking:
      0|i2s4yb:
    • 9223372036854775807
    • Small

    Description

      Title: johnzon-mapper:1.2.20 CVE-2023-33008

      Defect Dojo link: https://defectdojo.dagali.talendinc.com/finding/308063 (308063)

      Severity: Medium

      Due Date: Jan. 11, 2024

      CWE: CWE-502

      CVE: CVE-2023-33008

      CVSSv3 Score: 5.3

      Product/Engagement/Test: Studio / veracode-sca-Talend_studio-full-master_build_talend.studio.tup.product_pom-scan_poms_master / Veracode SourceClear Scan

      Vulnerable Component: johnzon-mapper - 1.2.20

      Description:
      Project name: Talend/studio-full-master/build/talend.studio.tup.product/pom-scan/poms
      Title: Apache Johnzon Deserialization of Untrusted Data vulnerability
      Description: A malicious attacker can craft up some JSON input that uses large numbers (numbers such asĀ 1e20000000) that Apache Johnzon will deserialize into BigDecimal and maybe use numbers too large which may result in a slow conversion (Denial of service risk). Apache Johnzon 1.2.21 mitigates this by setting a scale limit of 1000 (by default) to the BigDecimal.

      This issue affects Apache Johnzon through 1.2.20.

      References:

      https://sca.analysiscenter.veracode.com/teams/X33hjMQ/issues/vulnerabilities/196900253

      Reporter: (infosec-scans) (security-scan@talend.com)

      Attachments

        Activity

          People

            Unassigned Unassigned
            zyuan Zheng Huang Yuan
            Yueyan Yin
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: