Skip to content

Vulnerability Fixes and Workload Identity Enablement

Daniel Scholl requested to merge vulnerabilities into master

New Feature: Updated OSDU Core Lib Azure supports workload identity capabilities.

Fix: Resolve vulnerabilities in pom.xml

This PR highlights the vulnerabilities that have been resolved in pom.xml. Below is the delta of vulnerabilities that were present in the previous scan but are no longer found in the current state.

Resolved Vulnerabilities:

  1. com.azure:azure-identity

    • Vulnerability: CVE-2024-35255
    • Severity: Medium
    • Issue: Azure Identity Libraries Elevation of Privilege Vulnerability
    • Resolution: Upgraded from 1.11.2 to 1.12.2.

  2. io.lettuce:lettuce-core

    • Vulnerability: GHSA-q4h9-7rxj-7gx2
    • Severity: Medium
    • Issue: Netty vulnerability included in Redis lettuce
    • Resolution: Upgraded from 6.3.2.RELEASE to 6.5.1.RELEASE.

  3. org.eclipse.jetty:jetty-http

    • Vulnerability: CVE-2024-6763
    • Severity: Medium
    • Issue: Jetty URI parsing of invalid authority
    • Resolution: Upgraded from 12.0.10 to 12.0.12.

  4. org.eclipse.jetty:jetty-server

    • Vulnerability: CVE-2024-8184
    • Severity: Medium
    • Issue: Jetty ThreadLimitHandler.getRemote() vulnerable to remote DoS attacks
    • Resolution: Upgraded from 12.0.0 to 12.0.9.

  5. org.springframework:spring-beans

    • Vulnerability: CVE-2024-38827
    • Severity: Medium
    • Issue: Authorization bypass for case-sensitive comparisons in Spring Security
    • Resolution: Upgraded from 6.1.13 to 6.1.14.

  6. org.springframework:spring-context

    • Vulnerability: CVE-2024-38820
    • Severity: Medium
    • Issue: DataBinder vulnerability related to disallowedFieldspatterns
    • Resolution: Addressed through updated libraries.

Merge request reports