Shaded third-party jackson-core 2.13.2 is missing fix for sonatype-2022-6438

[ericfreese]

Describe the bug

The shaded third-party jackson-core is set at version 2.13.2 which does not have a fix for vulnerability issue sonatype-2022-6438.

aws-sdk-java-v2/pom.xml

Line 95 in 5aa3ff3

<jackson.version>2.13.2</jackson.version>

Expected Behavior

The shaded third-party jackson-core should be at least version 2.15.0.

Current Behavior

The issue was flagged by a prisma scan.

Reproduction Steps

N/A

Possible Solution

Upgrade to at least 2.15.0. Hopefully this is not too difficult because of the shading.

From #2598 (comment):

Shading allows us to use the latest, secure Jackson version without worrying about breaking customer applications.

Additional Information/Context

See:

• Issue sonatype-2022-6438 (fixed via #827) FasterXML/jackson-core#861
• Add numeric value size limits via StreamReadConstraints (fixes sonatype-2022-6438) -- default 1000 chars FasterXML/jackson-core#827
• https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.15

This issue is similar to: #3825

AWS Java SDK version used

2.18.41

JDK version used

openjdk version "1.8.0_382" OpenJDK Runtime Environment Corretto-8.382.05.1 (build 1.8.0_382-b05) OpenJDK 64-Bit Server VM Corretto-8.382.05.1 (build 25.382-b05, mixed mode)

Operating System and version

Linux 9d7c897afc63 6.4.11-arch2-1 #1 SMP PREEMPT_DYNAMIC Sat, 19 Aug 2023 15:38:34 +0000 x86_64 x86_64 x86_64 GNU/Linux

[debora-ito]

@ericfreese acknowledged. Assigning a standard priority because it's a sonatype issue with no CVE attached.

[debora-ito]

The jackson version was upgraded as part of Java SDK version 2.20.140.

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.