ibm-cos-java-sdk-bundle 2.11.1 contains vulnerable jackson-databind 2.13.1 #52

klajok · 2022-03-28T09:39:53Z

The library jackson-databind version 2.13.1 is embedded in the latest version 2.11.1 of ibm-cos-java-sdk-bundle .

According to GHSA-57j2-w4cx-62h2 the above version of Jackson Databind is vulnerable.

Please prepare new release of COS Java SDK bundle with updated Jackson Databind library.

The text was updated successfully, but these errors were encountered:

IBMeric · 2022-03-29T14:31:53Z

Thanks for your report. We have an internal ticket to complete this work.

hbornstein747 · 2022-04-14T22:17:45Z

Do you have an ETA when the new version will be available?

hbornstein747 · 2022-04-16T12:30:04Z

Latest CVE requires update to 2.13.2.2. Hopefully this will be included. (I am with the the CP4D dev team)

avinash1IBM · 2022-04-18T10:38:28Z

Thank for the update. This change will be included in the next release. Thanks

hbornstein747 · 2022-04-18T13:27:19Z

Thanks Avinash - can you tell me when that is?

avinash1IBM · 2022-04-19T05:32:09Z

Hello,
The next release will be in second quarter.
Thanks.

IBMeric · 2022-04-26T20:37:58Z

@klajok @hbornstein747 We have released 2.11.2 to address this issue. Please verify and close this ticket.

hbornstein747 · 2022-04-28T16:19:11Z

Thank you. I can verify the issue is resolved.

klajok · 2022-05-02T08:30:50Z

Thank you.

klajok closed this as completed May 2, 2022

Provide feedback