A security scan or GitHub security advisory has flagged the library com.fasterxml.jackson.core:jackson-core as vulnerable to GHSA-72hv-8253-57qq. This vulnerability exists in versions $>= 2.0.0$ and $<= 2.18.5$.

In the WCC environment, version 2.14.2 was detected within the hazelcast.jar file located at:

/opt/CA/WorkloadAutomationAE/wcc/bin/lib/hazelcast.jar -> META-INF/maven/com.fasterxml.jackson.core/jackson-core

• Product: Autosys Workload Automation (Web Control Center / WCC)

• Third-Party Components: Hazelcast 5.4.0 / Jackson Core 2.18.2

WCC 12.1.01

The current release of the product is not impacted by this vulnerability.

According to the GitHub Advisory GHSA-72hv-8253-57qq:

• Vulnerable: Only the non-blocking (asynchronous) JSON parser in Jackson-core is affected.

• Not Vulnerable: The synchronous parser is not affected. The advisory explicitly states: “The standard synchronous parser correctly enforces this limit.”

Autosys/WCC makes use of the synchronous parser; therefore, the vulnerability cannot be exploited in this context.

GitHub Security Advisory: https://github.com/advisories/GHSA-72hv-8253-57qq