CVE-2022-42003 - ibm-cos-java-sdk-bundle 2.12.0 contains vulnerable in jackson-databind 2.13.3 #56

mkrakow · 2022-10-11T12:55:08Z

The library jackson-databind version 2.13.3 is embedded in the latest version 2.12.0 of ibm-cos-java-sdk-bundle .

According to GHSA-57j2-w4cx-62h2 the above version of Jackson Databind is vulnerable.

Could you please fix COS Java SDK bundle with updated Jackson Databind library to 2.14.0 ?

IBMalok · 2022-10-13T13:34:44Z

@mkrakow - Thanks for your report. We have an internal ticket to complete this work.

tcherel · 2022-10-21T13:21:50Z

@IBMalok do you have an idea when that will be completed?
Jackson Databind library to 2.14.0 is not GA yet but 2.13.4.2 (already GA) contains all the fixes need for this vulnerability (as well as some of the recent new ones (https://nvd.nist.gov/vuln/detail/CVE-2022-42003 and https://nvd.nist.gov/vuln/detail/CVE-2022-42004).

IBMalok · 2022-10-26T16:36:55Z

@tcherel - We're going to release soon.

IBMalok · 2022-11-03T17:51:07Z

@mkrakow @tcherel - We have released 2.12.1 to address this issue. Please verify and close this ticket.

IBMalok · 2022-11-17T07:39:10Z

Closing this issue as resolved.

tcherel · 2022-11-17T10:48:20Z

@IBMalok my apologies, forgot to update the git issue to confirm that the issue is indeed fixed.
Thanks

IBMalok closed this as completed Nov 17, 2022

Provide feedback