In “Camunda Platform Engine REST JAX RS 2.0”, we have 2 vulnerabilities, which are coming from dependencies (com.fasterxml.jackson.core » jackson-databind2 vulnerabilities).
currently, our project is using 7.17.0 but 7.18.0-alpha5 also has these vulnerabilities.
We have assessed these CVEs a while ago and determined that Camunda 7 is not affected by them. We plan to update the dependencies with enterprise patches due for end of February and subsequently the alpha release that we will release in March and 7.19.0 in April. You can follow Update Jackson to the latest version · Issue #2842 · camunda/camunda-bpm-platform · GitHub for our progress.
@DominikLeszyk which link exactly are you referring to? If I click on “Reporting Vulnerabilities” at Camunda Trust Center | Camunda it takes me to Reporting Vulnerabilities | Camunda and from there the links point to JIRA. Note that you need a user account for the Camunda JIRA in order to raise a ticket in the SEC project.
Replacing the links seems to resolve the issue, at least in my local setup. You may have to hard reload the page, it should then display a link labeled Camunda Trust Center instead of camunda.com/security.