Jackson <= 2.7.3 has a known security vulnerability

[asieira]

The SDK uses Jackson maven dependencies at version 2.6.6, which is vulnerable as per https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3720.

Please upgrade this dependency to version 2.7.4 or above to get the fix.

Plus, in order to ensure that vulnerable dependencies are not used in the future, I would strongly recommend you use http://jeremylong.github.io/DependencyCheck/ to check this automatically and fail builds if vulnerable dependencies with a CVSS score above 8 are found.

[asieira]

Actually, this only affects jackson-dataformat-xml which is not used by the AWS SDK, and the detection was a false positive by DependencyCheck as per jeremylong/DependencyCheck#517 and jeremylong/DependencyCheck#535.

Sorry about this, closing the issue now.