Pjfanning

Name of the Vulnerable Software and Affected Versions: jackson-core versions prior to 2.15.0 Description: The issue arises when parsing input files with deeply nested data, potentially causing a StackoverflowError due to excessive depth. A configurable limit for traversal depth has been introduced, defaulting to 1000, to prevent this error. If the limit is reached, a StreamConstraintsException is thrown. Users should avoid parsing input files from untrusted sources as a workaround. Recommendations: For versions prior to 2.15.0, update to version 2.15.0 or later to include the configurable depth limit and prevent StackoverflowError. As a temporary workaround, consider avoiding the parsing of deeply nested input files from untrusted sources until the update is applied.

**Name of the Vulnerable Software and Affected Versions** H2 Database Engine versions prior to 2.2.220 **Description** The web-based admin console in H2 Database Engine can be started via the CLI with the argument `-webAdminPassword`, which allows the user to specify the password in cleartext for the web admin console. Consequently, a local user (or an attacker that has obtained local access through some means) would be able to discover the password by listing processes and their arguments. The issue was fixed in version 2.2.220. **Recommendations** For H2 Database Engine versions prior to 2.2.220, update to version 2.2.220 or later to resolve the issue. As a temporary workaround, consider avoiding the use of the `-webAdminPassword` argument when starting the web-based admin console via the CLI to minimize the risk of password exposure.

**Name of the Vulnerable Software and Affected Versions** xlsx-streamer versions prior to 2.1.0 **Description** The issue concerns the XML parser used in the Excel-Streaming-Reader, which did not apply all necessary settings to prevent XML Entity Expansion issues. This problem is resolved by upgrading to version 2.1.0. There is no known workaround for this issue. **Recommendations** Upgrade to version 2.1.0 to receive a patch. As there is no known workaround, upgrading to the specified version is the recommended course of action to mitigate the risk associated with this issue.