REDHAT-BUG-2374804
jackson-core contains core low-level incremental ("streaming") parser and generator abstractions used by Jackson Data Processor. In versions prior to 2.15.0, if a user parses an input file and it has deeply nested data, Jackson could end up throwing a StackoverflowError if the depth is particularly large. jackson-core 2.15.0 contains a configurable limit for how deep Jackson will traverse in an input document, defaulting to an allowable depth of 1000. jackson-core will throw a StreamConstraintsException if the limit is reached. jackson-databind also benefits from this change because it uses jackson-core to parse JSON inputs. As a workaround, users should avoid parsing input files from untrusted sources.
Affected Software
Event History
Frequently Asked Questions
What is the severity of REDHAT-BUG-2374804?
The vulnerability REDHAT-BUG-2374804 is considered to have a high severity due to the potential for a StackOverflowError in deeply nested data parsing.
How do I fix REDHAT-BUG-2374804?
To fix REDHAT-BUG-2374804, upgrade to jackson-core and jackson-databind version 2.15.0 or later.
Which software is affected by REDHAT-BUG-2374804?
Software affected by REDHAT-BUG-2374804 includes jackson-core and jackson-databind versions prior to 2.15.0.
What issue does REDHAT-BUG-2374804 cause?
REDHAT-BUG-2374804 can cause a StackOverflowError when parsing input files with deeply nested data.
Is REDHAT-BUG-2374804 present in the latest version?
No, REDHAT-BUG-2374804 is not present in jackson-core and jackson-databind version 2.15.0 and later.