See FasterXML/jackson-databind#3972 and https://nvd.nist.gov/vuln/detail/CVE-2023-35116

It requires an upgrade to jackson-databind 2.15.3
Can it be done for the COS SDK?

Thanks.

This will be addressed and will release a new version shortly

will next version address https://nvd.nist.gov/vuln/detail/CVE-2023-35116 ?

@kashok7474 yes, you can take a look at this FasterXML/jackson-databind#3972 (comment)

@avinash1IBM do you have an ETA for the new cos SDK version with the jackson-databind upgrade?
Just trying to figure out if we can get it included in our upcoming new release or not.
Thanks.

@tcherel The most recent update from the jackson-databind team is that this is not a vulnerability. you can read this here. So even the nvd website added this note below.
NOTE: the vendor's perspective is that this is not a valid vulnerability report, because the steps of constructing a cyclic data structure and trying to serialize it cannot be achieved by an external attacker.
So can we mark this as closed?

@avinash1IBM unfortunately this is not that simple.
We have large customers (we both work for the same company :-) ) that are not easily buying the "not vulnerable" justification and that are pushing really hard to get clean OSS scans before they can deploy the software (based on their own corporate policies).
Things are much easier if the scan result is clean and, in this particular case where it should be a simple/backward compatible upgrade, the upgrade is definitely a better approach.
You can reach me internally (email or slack: Thomas Cherel) if you want to discuss this further.
Thanks.

We will do a new release that upgrades the above dependency

A new version of ibm-cos-sdk-java is released to address this vulnerability. Can you please close this issue.

Thanks @avinash1IBM
Closing this git issue.