CVE-2023-35116: jackson-databind package versions before 2.16.0
hbornstein747 opened this issue · comments
See FasterXML/jackson-databind#3972 and https://nvd.nist.gov/vuln/detail/CVE-2023-35116
Even after updating to suggested version for this CVE, it is still being reported as vumnerable and now requires yet another upgrade to jackson-databind 2.16.0. This is related to #63
Can it be done for the COS SDK?
cc: @tcherel
@hbornstein747 the jackson-databind team didn't agree that it is a vulnerability FasterXML/jackson-databind#3972 (comment), and even if we upgrade the package to 2.16.0, then the same vulnerability will be flagged again. Even the nvd site that you shared above added a note saying this
NOTE: the vendor's perspective is that this is not a valid vulnerability report, because the steps of constructing a cyclic data structure and trying to serialize it cannot be achieved by an external attacker.
So can you please close this ticket?
@tcherel ^^^
@avinash1IBM I agree that this is just churn and the vulnerability will likely come up again, but we (CP4D team at IBM) are being asked to update databind regardless. I don't want to close the ticket until our securoty focal (@tcherel) can comment.
@hbornstein747 A new version of ibm-cos-sdk-java is released to fix this. Please close this issue