CVE-2022-42004: Transitive dependency (jackson) from io.cloudevents:cloudevents-json-jackson vulnerable #245
Comments
|
It appears that only JsonFormat.CONTENT_TYPE is used here and therefore doesn't pertain to the CVE (custom deserialization methods). Otherwise I do think the correct place for this is requesting cloudevents java sdk to release a newer version. |
|
#274 - cloudevents opted to roll this into the 3.0 release, so we have to bump the cloudevents-sdk version we require, too. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
jackson-json is included transitively via cloudevents-json-jackson. The included version is vulnerable (CVE-2022-42004).
The version is updated there (cloudevents/sdk-java#588), but needs to be released. As soon as this is done, it can be updated here.
Is it advisable to use dependency overrides until then?
The text was updated successfully, but these errors were encountered: