CIB seven 2.0.9 EE - Release Notes
Release Notes
Release Date: March 31, 2026
Highlights
- Updated CIB seven to resolve CVEs in third-party libraries
- Packaging change: The dependency
org.cibseven.connect:cibseven-connect-corehas been excluded from the shaded artifact.
Technical Updates
Dependency Updates
- Update
Spring Bootfrom3.5.9to3.5.12 - Update
jackson corefrom2.19.4to2.21.1
Resolved CVE Vulnerabilities
Critical Severity
- CVE-2025-66614 - CVSS 9.1, Improper Input Validation vulnerability in Apache Tomcat.
High Severity
- CVE-2026-24734 - CVSS 7.5, Improper Input Validation vulnerability in Apache Tomcat Native, Apache Tomcat.
- CVE-2026-29062 - CVSS 8.7. Nesting depth constraint bypass in
com.fasterxml.jackson.core:jackson-corecan triggerStackOverflowErrorand lead to Denial of Service.
Medium Severity
- GHSA-72hv-8253-57qq - CVSS 6.9. Async parser number length constraint bypass in
com.fasterxml.jackson.core:jackson-corecan cause excessive memory allocation and CPU exhaustion, leading to Denial of Service. - CVE-2026-22184 - CVSS-B 4.6. Fixed a global buffer overflow in
zlibby updating it to1.3.1-r2. The vulnerable library was included transitively via the Alpine base image.
Low Severity
- CVE-2026-24733 - CVSS 3.7, Improper Input Validation vulnerability in Apache Tomcat.