You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
It appears that only JsonFormat.CONTENT_TYPE is used here and therefore doesn't pertain to the CVE (custom deserialization methods). Otherwise I do think the correct place for this is requesting cloudevents java sdk to release a newer version.
jackson-json is included transitively via cloudevents-json-jackson. The included version is vulnerable (CVE-2022-42004).
The version is updated there (cloudevents/sdk-java#588), but needs to be released. As soon as this is done, it can be updated here.
Is it advisable to use dependency overrides until then?
The text was updated successfully, but these errors were encountered: