Skip to main content
Question

Vulnerability in docusign-esign-java

  • July 8, 2026
  • 0 replies
  • 12 views

Bruce C
New Voice
Forum|alt.badge.img

The Docusign-esign-java libary released a new version (6.7.0) last on 7/1/2026; however, it still uses a version of com.fasterxml.jackson.core (2.17.1) that has a vulnerability (CVE GHSA-72hv-8253-57qq).  This vulnerability was fixed in version 2.18.6 and 2.21.1.  When can we expect docusign-esign-java to be updated to use a jackson.core version with the fix?

This is the entry in my pom.xml
        <dependency>
            <groupId>com.docusign</groupId>
            <artifactId>docusign-esign-java</artifactId>
            <version>6.7.0</version>
            <classifier>shaded</classifier>
        </dependency>
If I remove the shaded classifier then the application throws an error (java.lang.NoClassDefFoundError: com/fasterxml/jackson/databind/util/ISO8601DateFormat) when it tries to create a  com.docusign.esign.client.ApiClient