CIB seven 2.1.5 EE - Release Notes

Release Notes

Release Date: March 31, 2026

Highlights

  • Updated CIB seven to resolve CVEs in third-party libraries
  • Packaging change: The dependency org.cibseven.connect:cibseven-connect-core has been excluded from the shaded artifact.
  • Improved the web client user experience with better navigation, richer variable details, and retry support for subprocess incidents.
  • Maria DB: update of SQL scripts for migration from CIB seven 2.1.3 (Camunda 7.23)

User Experience Improvements in Web Client

  • Enhanced navigation between process instances and process definitions, with and without tenantId
  • Variables table: added the ‘activity instance id’ column and fixed the value of the ‘scope’ column
  • Incidents table: enabled retrying subprocess incidents from the parent process
  • Modify view: fixed an issue where moving a token from an incident activity to the Start Event could stop the process instead of restarting or continuing execution

Technical Updates

Dependency Updates

  • Update Spring Boot from 3.5.9 to 3.5.12
  • Update jackson core from 2.19.4 to 2.21.1
  • Update jackson.core.jackson-databind from 2.19.4 to 2.21.1
  • Update groovy from 4.0.27 to 4.0.30 to fix “import static” issue when executing scripts

Resolved CVE Vulnerabilities

Critical Severity
  • CVE-2025-66614 - CVSS 9.1, Improper Input Validation vulnerability in Apache Tomcat.
High Severity
  • CVE-2026-24734 - CVSS 7.5, Improper Input Validation vulnerability in Apache Tomcat Native, Apache Tomcat.
  • CVE-2026-29062 - CVSS 8.7. Nesting depth constraint bypass in com.fasterxml.jackson.core:jackson-core can trigger StackOverflowError and lead to Denial of Service.
Medium Severity
  • GHSA-72hv-8253-57qq - CVSS 6.9. Async parser number length constraint bypass in com.fasterxml.jackson.core:jackson-core can cause excessive memory allocation and CPU exhaustion, leading to Denial of Service.
  • CVE-2026-22184 - CVSS-B 4.6. Fixed a global buffer overflow in zlib by updating it to 1.3.1-r2. The vulnerable library was included transitively via the Alpine base image.
Low Severity
  • CVE-2026-24733 - CVSS 3.7, Improper Input Validation vulnerability in Apache Tomcat.

On this Page: