Problem
The dependencyManagement override for commons-lang3 was only defined in jdbc-core/pom.xml, not in the parent pom. Since the uber jar module (assembly-uber) inherits from the parent pom (not from jdbc-core), the transitive dependency from commons-configuration2 resolves to commons-lang3:3.14.0 instead of the intended 3.18.0.
This means the released databricks-jdbc-3.3.1.jar (uber jar) bundles the vulnerable commons-lang3:3.14.0 despite the changelog stating it was updated.
Impact
- CVE-2025-48924 (MEDIUM) remains present in the uber jar
- Vulnerability scanners (e.g., Trivy) correctly flag the bundled 3.14.0 version
Fix
Move the dependencyManagement section from jdbc-core/pom.xml to the parent pom.xml so all modules (including assembly-uber and assembly-thin) resolve commons-lang3 to 3.18.0.
Problem
The
dependencyManagementoverride forcommons-lang3was only defined injdbc-core/pom.xml, not in the parent pom. Since the uber jar module (assembly-uber) inherits from the parent pom (not fromjdbc-core), the transitive dependency fromcommons-configuration2resolves tocommons-lang3:3.14.0instead of the intended3.18.0.This means the released
databricks-jdbc-3.3.1.jar(uber jar) bundles the vulnerablecommons-lang3:3.14.0despite the changelog stating it was updated.Impact
Fix
Move the
dependencyManagementsection fromjdbc-core/pom.xmlto the parentpom.xmlso all modules (includingassembly-uberandassembly-thin) resolvecommons-lang3to3.18.0.