Our CVE tracker is flagging odata-client-core (version 4.8.0) for the presence of dependency woodstox-core (version 6.2.4) affected by CVE-2022-40153.
The relevant dependency tree is below:-
+- org.apache.olingo:odata-client-core:jar:4.8.0:compile
[INFO] | +- org.apache.olingo:odata-client-api:jar:4.8.0:compile
[INFO] | | \- org.apache.olingo:odata-commons-api:jar:4.8.0:compile
[INFO] | +- org.apache.olingo:odata-commons-core:jar:4.8.0:compile
[INFO] | +- commons-codec:commons-codec:jar:1.15:compile
[INFO] | +- org.apache.httpcomponents:httpclient:jar:4.5.13:compile
[INFO] | | \- org.apache.httpcomponents:httpcore:jar:4.4.15:compile
[INFO] | +- org.slf4j:slf4j-api:jar:1.7.32:compile
[INFO] | +- com.fasterxml.jackson.core:jackson-core:jar:2.12.6:compile
[INFO] | +- com.fasterxml.jackson.core:jackson-annotations:jar:2.12.6:compile
[INFO] | +- com.fasterxml.jackson.dataformat:jackson-dataformat-xml:jar:2.12.6:compile
[INFO] | | +- com.fasterxml.jackson.module:jackson-module-jaxb-annotations:jar:2.12.6:compile
[INFO] | | +- org.codehaus.woodstox:stax2-api:jar:4.2.1:compile
[INFO] | | \- com.fasterxml.woodstox:woodstox-core:jar:6.2.4:compile
The issue is fixed in woodstox-core 6.4.0. The latest version of odata-client-core (version 4.9.0) is still using the vulnerable woodstox-core version.
woodstox-core? If
yes, which version is expected to have the fix?woodstox-core 6.4.0 is compatible with odata-client-core
4.8.0 or 4.9.0 version so that I can exclude woodstox-core 6.2.0 in my pom and add woodstox-core 6.4.0?This has been answered in olingo mailing list. Below is the answer
Hi,
I have checked that Olingo works with Jackson 2.14.0 (which have newer version of woodstox-core) and have updated the Jackson version accordingly.
With the next version 4.10.0 it will be available.
For your current project I suggest to overwrite/set the used Jackson version to 2.14.0.
Kind Regards, Michael