Skip to content

Vulnerability Fixes and POM adjustment

Daniel Scholl requested to merge azurecorelib into master

Vulnerability Fix: Updates to pom.xml

This report documents the resolution of vulnerabilities in the original pom.xml file. The fixed version has reduced the number of vulnerabilities and addressed critical security issues. Below is a summary of the resolved and remaining vulnerabilities.

Key Improvements:

  1. Reduced Vulnerabilities

    • Original Total: 29 (Critical: 2, High: 6, Medium: 19, Low: 2)
    • Fixed Total: 21 (Critical: 1, High: 5, Medium: 13, Low: 2)

  2. Fixed Critical Issues

    • Resolved CVE-2024-12798, an arbitrary code execution vulnerability in ch.qos.logback:logback-core.

Details of Fixed Vulnerabilities:

  1. ch.qos.logback:logback-core

    • Vulnerability: CVE-2024-12798
    • Severity: Medium
    • Issue: Arbitrary code execution via JaninoEventEvaluator.
    • Resolution: Upgraded from 1.5.6 to 1.5.13.

  2. commons-io:commons-io

    • Vulnerability: CVE-2024-47554
    • Severity: High
    • Issue: Denial of Service (DoS) through untrusted input to XmlStreamReader.
    • Resolution: Upgrade to 2.14.0.

  3. org.springframework.security:spring-security-web

    • Vulnerability: CVE-2024-38821
    • Severity: Critical
    • Issue: Authorization bypass in WebFlux static resources.
    • Resolution: Upgrade paths to versions 5.7.13, 5.8.15, 6.2.7, 6.0.13, 6.1.11, or 6.3.4.

  4. org.springframework.boot:spring-boot-loader

    • Vulnerability: CVE-2024-38807
    • Severity: High
    • Issue: Vulnerabilities in applications using spring-boot-loader.
    • Resolution: Upgrade paths to versions 2.7.22, 3.0.17, 3.1.13, 3.2.9, or 3.3.3.

Remaining Vulnerabilities:

Despite these fixes, a critical vulnerability remains, along with high, medium, and low severity issues that require attention in subsequent updates.

  1. Critical:

  2. High:

    • org.springframework:spring-webmvc – Path traversal vulnerabilities.

  3. Medium:

    • io.lettuce:lettuce-core – Vulnerabilities in Netty dependency.

Summary:

The fixes in this update address critical and high-severity vulnerabilities, improving the overall security posture of the project.

Edited by Daniel Scholl

Merge request reports