Updated gremlin driver version in order to solve jackson vulnerabilities. (!786) · Merge requests · OSDU Software / OSDU Data Platform / Security and Compliance / Entitlements

Daniel Scholl requested to merge vulnerabilities into master Dec 14, 2024

Fix: Upgrade Gremlin Driver to resolve vulnerabilities in `jackson-databind`

This PR addresses high-severity vulnerabilities identified in the jackson-databind library. Below is the list of vulnerabilities that have been resolved:

Resolved Vulnerabilities:

com.fasterxml.jackson.core:jackson-databind
- Vulnerability: CVE-2020-36518
  - Severity: High
  - Issue: Denial of Service via a large depth of nested objects.
  - Resolution: Upgraded from 2.11.3 to 2.13.2.1.
- Vulnerability: CVE-2021-46877
  - Severity: High
  - Issue: Possible Denial of Service if using JDK serialization to serialize JsonNode.
  - Resolution: Upgraded from 2.11.3 to 2.13.1.
- Vulnerability: CVE-2022-42003
  - Severity: High
  - Issue: Vulnerability with deep wrapper array nesting related to UNWRAP_SINGLE_VALUE_ARRAYS.
  - Resolution: Upgraded from 2.11.3 to 2.13.4.2.
- Vulnerability: CVE-2022-42004
  - Severity: High
  - Issue: Use of deeply nested arrays can lead to potential issues.
  - Resolution: Upgraded from 2.11.3 to 2.13.4.

By upgrading to a secure version of jackson-databind, this PR ensures enhanced security and mitigates the risks associated with these vulnerabilities. Please review and approve.

Updated gremlin driver version in order to solve jackson vulnerabilities.

Fix: Upgrade Gremlin Driver to resolve vulnerabilities in jackson-databind

Resolved Vulnerabilities:

Merge request reports

Fix: Upgrade Gremlin Driver to resolve vulnerabilities in `jackson-databind`