Our great sponsors
-
jackson-databind
General data-binding package for Jackson (2.x): works on streaming API (core) implementation(s)
-
WorkOS
The modern identity platform for B2B SaaS. The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning.
Jackson had this problem a few months back, where someone reported a critical CVE against the project and broke builds all around the planet https://github.com/FasterXML/jackson-databind/issues/3972
Basically the programmer (not the attacker) had to write code where an object contained itself
HashMap map=new HashMap<>();
map.put("recursive",map);
After this, Jackson would indeed stack overflow if you asked it to wrap the object to JSON. Then again, half the build-in Java functions (e.g. getting an object hashcode for the map object) also fail for a recursive structure.
The issue remains open 3 months later, Mitre still thinks it's hella serious, and people have yet again learned to just ignore their CI warning about CVEs
Unfortunately, the CVE database(s) are too noisy to be useful. It could benefit from higher standards and more thorough vetting. (Maybe take some lessons from academia.)
A "security researcher" once filed a CVE for a regular bug in Caddy [0], making claims that were totally provably false. It was assigned 7.5... the same as Heartbleed [1] -- yes, the one that leaked almost all the private encryption keys on the Internet back in 2014.
More recently I inadvertently discovered a 0-day RCE in acme.sh [2]. (ACME clients are security-sensitive contexts since they typically deal with private keys and download signed credentials.) Anyway, it was assigned a CVSS 3.x score of * 9.8 * [3] -- I imagine that should be like "cyber-nuclear meltdown" territory, but no, this was actually benign as far as we can tell. Probably deserves more like a 5 or 6 or something.
Anyway, the whole system is broken, and I'm effectively ignoring CVEs now. But if someone tells me to patch my , I'll probably just do that.
[0]: https://github.com/caddyserver/caddy/issues/4775
[1]: https://nvd.nist.gov/vuln/detail/cve-2014-0160
[2]: https://matt.life/writing/the-acme-protocol-in-practice-and-...
[3]: https://nvd.nist.gov/vuln/detail/CVE-2023-38198
Greg Kroah-Hartman (the kernel developer/maintainer) in 2019 gave a presentation about some of the issues with CVEs.
https://www.youtube.com/watch?v=HeeoTE9jLjM
https://github.com/gregkh/presentation-cve-is-dead
2. https://github.com/ossillate-inc/packj-github-action