Vulnerailities in Camunda Engine REST JAX RS 2.0

In “Camunda Platform Engine REST JAX RS 2.0”, we have 2 vulnerabilities, which are coming from dependencies (com.fasterxml.jackson.core » jackson-databind2 vulnerabilities).

currently, our project is using 7.17.0 but 7.18.0-alpha5 also has these vulnerabilities.


reported vulnerabilities:

can you suggest by which version and when, we will have fix for these vulnerabilities? (I think it would need the jar version upgrade only)

@vijaygurunanee I’ve also faced this problem and reported it to security jira of Camunda.

Camunda team: please update the Camunda Trust Center | Camunda link residing at Report a Vulnerability | as currently it causes 404.


We have assessed these CVEs a while ago and determined that Camunda 7 is not affected by them. We plan to update the dependencies with enterprise patches due for end of February and subsequently the alpha release that we will release in March and 7.19.0 in April. You can follow Update Jackson to the latest version · Issue #2842 · camunda/camunda-bpm-platform · GitHub for our progress.

@DominikLeszyk which link exactly are you referring to? If I click on “Reporting Vulnerabilities” at Camunda Trust Center | Camunda it takes me to Reporting Vulnerabilities | Camunda and from there the links point to JIRA. Note that you need a user account for the Camunda JIRA in order to raise a ticket in the SEC project.


Hi @thorben
Thanks for clarification on these CVEs.
In Report a Vulnerability | there is link mentioned. Clicking it causes 404 for me.

Interesting, redirects me to (latest Firefox, Windows 10), although the #report-a-vulnerability anchor doesn’t work. Which browser and OS are you trying this with?

I’ve checked on latest Firefox and Chrome on Windows 10. For me problem is that link rendered on Report a Vulnerability | page gets some strange ‘___hstc’ parameters in URL making it invalid.
Looks very similar to HubSpot adds __hstc, __hssc and __hsfp query params to all external URL, making them invalid · Issue #504 · segmentio/analytics.js · GitHub.

Thanks, when I try it on Chrome I can reproduce it too. On Firefox I use NoScript which prevents HubSpot from doing funny things. In the first step, I’ll update the URLs to avoid the redirects (Update docs link to vulnerability reporting guide · Issue #2973 · camunda/camunda-bpm-platform · GitHub). If the problem persists, I’ll let our web marketing team know.

Replacing the links seems to resolve the issue, at least in my local setup. You may have to hard reload the page, it should then display a link labeled Camunda Trust Center instead of

Thank you, it works now.