-
Notifications
You must be signed in to change notification settings - Fork 24
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ibm-cos-java-sdk-bundle 2.11.1 contains vulnerable jackson-databind 2.13.1 #52
Comments
Thanks for your report. We have an internal ticket to complete this work. |
Do you have an ETA when the new version will be available? |
Latest CVE requires update to 2.13.2.2. Hopefully this will be included. (I am with the the CP4D dev team) |
Thank for the update. This change will be included in the next release. Thanks |
Thanks Avinash - can you tell me when that is? |
Hello, |
@klajok @hbornstein747 We have released 2.11.2 to address this issue. Please verify and close this ticket. |
Thank you. I can verify the issue is resolved. |
Thank you. |
The library
jackson-databind
version2.13.1
is embedded in the latest version2.11.1
ofibm-cos-java-sdk-bundle
.According to GHSA-57j2-w4cx-62h2 the above version of Jackson Databind is vulnerable.
Please prepare new release of COS Java SDK bundle with updated Jackson Databind library.
The text was updated successfully, but these errors were encountered: