[
https://issues.apache.org/jira/browse/HIVE-27425?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Devaspati Krishnatri updated HIVE-27425:
----------------------------------------
Summary: Upgrade Nimbus-JOSE-JWT to 9.24+ due to CVEs coming from
json-smart (was: Upgrade Nimbus-JOSE-JWT to 9.24 due to CVEs coming from
json-smart)
> Upgrade Nimbus-JOSE-JWT to 9.24+ due to CVEs coming from json-smart
> -------------------------------------------------------------------
>
> Key: HIVE-27425
> URL: https://issues.apache.org/jira/browse/HIVE-27425
> Project: Hive
> Issue Type: Task
> Reporter: Devaspati Krishnatri
> Assignee: Devaspati Krishnatri
> Priority: Major
>
> Nimbus-JOSE-JWT before 9.24 is using the vulnerable version of json-smart.
> nimbus-jose-jwt has dropped the json-smart dependency completely with
> nimbus-jose-jwt 9.24 and replaces it with *Gson 2.9.1 (shaded),* as seen in
> the commit history here:
> [https://bitbucket.org/connect2id/nimbus-jose-jwt/commits/tag/9.24].
> Json-smart before 2.4.9 is affected by CVE-2023-1370
> CVE-2023-1370 - [Json-smart]([https://netplex.github.io/json-smart/]) is a
> performance focused, JSON processor lib. When reaching a '[' or '{' character
> in the JSON input, the code parses an array or an object respectively. It was
> discovered that the code does not have any limit to the nesting of such
> arrays or objects. Since the parsing of nested arrays and objects is done
> recursively, nesting too many of them can cause a stack exhaustion (stack
> overflow) and crash the software.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
