Vulnerability and POM reorganization.
Vulnerability Fix: Updates to pom.xml
The following outlines the resolution and remaining issues for vulnerabilities identified in the pom.xml file. Improvements include reductions in critical, high, and medium vulnerabilities.
Key Improvements:
-
Reduced Vulnerabilities
- Original Total: 24 (Critical: 1, High: 7, Medium: 15, Low: 1)
- Updated Total: 10 (Critical: 0, High: 3, Medium: 6, Low: 1)
-
Critical Issues Resolved
- Fixed CVE-2024-53990 in
org.asynchttpclient:async-http-client.
- Fixed CVE-2024-53990 in
Details of Fixed Vulnerabilities:
-
ch.qos.logback:logback-core- Vulnerability: CVE-2024-12798
- Severity: Medium
-
Issue: Arbitrary code execution via
JaninoEventEvaluator. -
Resolution: Upgraded from
1.5.6to1.5.13.
-
com.azure:azure-identity- Vulnerability: CVE-2024-35255
- Severity: Medium
- Issue: Elevation of privilege in Azure Identity Libraries.
-
Resolution: Upgraded to
1.12.2.
-
org.apache.tomcat:tomcat-catalina- Vulnerabilities Fixed:
- Severity: High
-
Resolution: Updated to a secure version (
10.1.34).
Remaining Vulnerabilities:
While significant progress has been made, several high and medium vulnerabilities remain, including:
-
High Severity:
-
com.nimbusds:nimbus-jose-jwt– CVE-2023-52428-
Issue: Denial of service via large JWE
p2cheader. -
Resolution Pending: Upgrade to
9.37.2.
-
Issue: Denial of service via large JWE
-
-
Medium Severity:
-
commons-io:commons-io– CVE-2024-47554-
Issue: Denial of service attack on untrusted input to
XmlStreamReader. -
Resolution Pending: Upgrade to
2.14.0.
-
Issue: Denial of service attack on untrusted input to
-
-
Other:
- Multiple vulnerabilities in
org.springframeworkandsoftware.amazon.ion.
- Multiple vulnerabilities in
Summary:
The latest update significantly reduces the severity of vulnerabilities while fixing all critical issues.
Edited by Daniel Scholl