Uploaded image for project: 'JOC - JobScheduler Operations Center'
  1. JOC - JobScheduler Operations Center
  2. JOC-1400

Update woodstox-core to 6.4.0 due to 3rd party vulnerability CVE-2022-40153

    XMLWordPrintable

Details

    • Fix
    • Status: Released (View Workflow)
    • Minor
    • Resolution: Fixed
    • 1.13.16
    • 1.13.17
    • None
    • None
    • CVE-2022-40153

    Description

      Current Situation

      JS1 Master, Agent and JOC Cockpit make indirect use of the woodstox-core through jackson-databind (transitive dependency) 3rd party components.

      • Agent, JOC Cockpit provide woodstox-core 5.2.0
      • Master provides woodstox-core 6.2.7

      A vulnerability affects the versions in use.

      We rate the vulnerability as LOW as our software does not use the Xstream component directly.

      SeeĀ CVE-2022-40153

      Desired Behavior

      JS1 Master, Agent and JOC should use the latest version 6.4.0 of woodstox-core.

      Attachments

        Activity

          People

            sp Santiago Aucejo Petzoldt
            sp Santiago Aucejo Petzoldt
            Kanika Agrawal Kanika Agrawal
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: