Bump jackson-core and logging-interceptor versions #25
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
Older versions of jackson-databind (part of jackson-core) and logging-interceptor are vulnerable to a variety of OWASP-acknowledged exploits, including CVE-2023-35116, CVE-2022-42004, CVE-2021-46877, and CVE-2023-0833. Both of those libraries are leveraged by duo_universal_java. This MR upgrades the dependencies to versions without those vulnerabilities.
I acknowledge that the security policy stipulates that vulnerabilities should be reported to Duo first; however, as this is an acknowledged (and patched) vulnerability in dependencies rather than the project's source code itself, I am simply opening an MR. Doing otherwise after I realized this issue exists would be security through obscurity, rather than actually solving the problem. Better to get this fixed ASAP.
Motivation and Context
duo_universal_java is currently open to a variety of exploits, including resource exhaustion, DOS, and XXE attacks. That is concerning. As a user (and enjoyer) of this project, I'd like to patch those vulnerabilities with this MR.
How Has This Been Tested?
All currently extant unit tests passed; beyond that, my ability to test is limited.
Types of Changes