Spring Boot 2.6.5 fails OWASP Check due to CVE-2020-36518

[ghillert]

Originally CVE-2020-36518 only affected Spring 2.5.10 but the CVE was recently updated and now includes Jackson Databind 2.13.2, also, which means that the very latest Spring Boot version 2.6.5 is affected as well.

The CVE was fixed with Jackson Databind version 2.13.2.1.

• Original Spring Boot 2.5.10 issue: Consider updating Jackson dependency for Boot 2.5.10 due to CVE-2020-36518 #30354
• Relevant Jackson issue: Throw JsonMappingException for deeply nested JSON (#2816, CVE-2020-36518) FasterXML/jackson-databind#3416
• CVE info: https://nvd.nist.gov/vuln/detail/CVE-2020-36518

[wilkinsona]

We'll upgrade to the new Jackson release as part of a semi-automated process. In the meantime you are, as ever, free to override the version of Jackson used in your application.

[pandrez]

Hi @wilkinsona

I tried to override Jackson like you suggested but I'm getting an error on Gradle.

I created a really simple Gradle project using Spring Initialzr (you can check it here) and only added the following line to build.gradle.kts:

extra["jackson-bom.version"] = "2.13.2.20220324"

This version contains the fix for the aforementioned CVE.

When building the project, I get the following error:

Execution failed for task ':compileKotlin'.
> Error while evaluating property 'filteredArgumentsMap' of task ':compileKotlin'
   > Could not resolve all files for configuration ':compileClasspath'.
      > Could not find com.fasterxml.jackson:jackson-bom:2.13.2.1.
        Required by:
            project : > org.springframework.boot:spring-boot-starter-webflux:2.6.5 > org.springframework.boot:spring-boot-starter-json:2.6.5 > com.fasterxml.jackson.core:jackson-databind:2.13.2.1
      > Could not find com.fasterxml.jackson:jackson-bom:2.13.2.1.
        Required by:
            project : > org.springframework.boot:spring-boot-starter-webflux:2.6.5 > org.springframework.boot:spring-boot-starter-json:2.6.5 > com.fasterxml.jackson.datatype:jackson-datatype-jdk8:2.13.2
            project : > org.springframework.boot:spring-boot-starter-webflux:2.6.5 > org.springframework.boot:spring-boot-starter-json:2.6.5 > com.fasterxml.jackson.datatype:jackson-datatype-jsr310:2.13.2
            project : > org.springframework.boot:spring-boot-starter-webflux:2.6.5 > org.springframework.boot:spring-boot-starter-json:2.6.5 > com.fasterxml.jackson.module:jackson-module-parameter-names:2.13.2
            project : > org.springframework.boot:spring-boot-starter-webflux:2.6.5 > org.springframework.boot:spring-boot-starter-json:2.6.5 > com.fasterxml.jackson.core:jackson-databind:2.13.2.1 > com.fasterxml.jackson.core:jackson-annotations:2.13.2
            project : > org.springframework.boot:spring-boot-starter-webflux:2.6.5 > org.springframework.boot:spring-boot-starter-json:2.6.5 > com.fasterxml.jackson.core:jackson-databind:2.13.2.1 > com.fasterxml.jackson.core:jackson-core:2.13.2

Am I overriding the property incorrectly? Overriding this property on a Maven project works as intended.

[wilkinsona]

Unfortunately, there's a bug in the Gradle module metadata for jackson-databind:2.13.2.1. It sounds like a fix is on the way. In the meantime there are a couple of workarounds in that issue too.

[pandrez]

Thank you so much @wilkinsona 👍🏻