Description
Currently jackson-databind package used with version 2.13.5 by amazon-kinesis-client is having medium severity vulnerability.
https://ubuntu.com/security/CVE-2023-35116
https://nvd.nist.gov/vuln/detail/CVE-2023-35116
Vulnerability Description
jackson-databind through 2.15.2 allows attackers to cause a denial of service or other unspecified impact via a crafted object that uses cyclic dependencies. NOTE: the vendor's perspective is that this is not a valid vulnerability report, because the steps of constructing a cyclic data structure and trying to serialize it cannot be achieved by an external attacker.
Expected resolution
Upgrade jackson-databind package version to >=2.16.0 version https://github.com/awslabs/amazon-kinesis-client-python/blob/master/pom.xml#L9
Description
Currently
jackson-databindpackage used with version2.13.5by amazon-kinesis-client is having medium severity vulnerability.https://ubuntu.com/security/CVE-2023-35116
https://nvd.nist.gov/vuln/detail/CVE-2023-35116
Vulnerability Description
jackson-databind through 2.15.2 allows attackers to cause a denial of service or other unspecified impact via a crafted object that uses cyclic dependencies. NOTE: the vendor's perspective is that this is not a valid vulnerability report, because the steps of constructing a cyclic data structure and trying to serialize it cannot be achieved by an external attacker.
Expected resolution
Upgrade
jackson-databindpackage version to >=2.16.0 version https://github.com/awslabs/amazon-kinesis-client-python/blob/master/pom.xml#L9