CVE-2022-42003 - ibm-cos-java-sdk-bundle 2.12.0 contains vulnerable in jackson-databind 2.13.3
mkrakow opened this issue · comments
The library jackson-databind version 2.13.3 is embedded in the latest version 2.12.0 of ibm-cos-java-sdk-bundle .
According to GHSA-57j2-w4cx-62h2 the above version of Jackson Databind is vulnerable.
Could you please fix COS Java SDK bundle with updated Jackson Databind library to 2.14.0 ?
@mkrakow - Thanks for your report. We have an internal ticket to complete this work.
@IBMalok do you have an idea when that will be completed?
Jackson Databind library to 2.14.0 is not GA yet but 2.13.4.2 (already GA) contains all the fixes need for this vulnerability (as well as some of the recent new ones (https://nvd.nist.gov/vuln/detail/CVE-2022-42003 and https://nvd.nist.gov/vuln/detail/CVE-2022-42004).
Closing this issue as resolved.