[JOC-1400] Update woodstox-core to 6.4.0 due to 3rd party vulnerability CVE-2022-40153 - SOS JIRA

XML

Word

Printable

Details

Type: Fix
Status: Released (View Workflow)
Priority: Minor
Resolution: Fixed
Affects Version/s: 1.13.16
Fix Version/s: 1.13.17
Component/s: None
Labels:
None

CVE-ID:
CVE-2022-40153

Description

Current Situation

JS1 Master, Agent and JOC Cockpit make indirect use of the woodstox-core through jackson-databind (transitive dependency) 3rd party components.

Agent, JOC Cockpit provide woodstox-core 5.2.0
Master provides woodstox-core 6.2.7

A vulnerability affects the versions in use.

We rate the vulnerability as LOW as our software does not use the Xstream component directly.

See CVE-2022-40153

Desired Behavior

JS1 Master, Agent and JOC should use the latest version 6.4.0 of woodstox-core.

Attachments

Activity

People

Assignee:: Santiago Aucejo Petzoldt

Reporter:: Santiago Aucejo Petzoldt

Approver:: Kanika Agrawal

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 27 October 2022 11:05

Updated:: 16 December 2022 12:55

Resolved:: 28 October 2022 08:39