Skip to content

Vulnerability Fixing and POM reorganization

Daniel Scholl requested to merge vulnerabilities into master

Vulnerability Fix: Updates to Dependencies in pom.xml

This update addresses various vulnerabilities identified in pom.xml by upgrading affected libraries. Below are the details of the resolved vulnerabilities, highlighting fixed versions and their security improvements.

Fixed Vulnerabilities:

  1. com.nimbusds:nimbus-jose-jwt

    • Vulnerability: CVE-2023-52428
    • Severity: High
    • Issue: Large JWE p2c header value causes Denial of Service.
    • Resolution: Upgraded from 7.9 to 9.37.2.

  2. commons-io:commons-io

    • Vulnerability: CVE-2024-47554
    • Severity: High
    • Issue: Denial of service attack via untrusted input to XmlStreamReader.
    • Resolution: Upgraded from 2.7 to 2.14.0.

  3. io.lettuce:lettuce-core

    • Vulnerability: GHSA-q4h9-7rxj-7gx2
    • Severity: Medium
    • Issue: Vulnerabilities in Netty dependency.
    • Resolution: Upgraded from 6.3.2.RELEASE to 6.5.1.RELEASE.

  4. io.netty:netty-codec-http

    • Vulnerability: CVE-2024-29025
    • Severity: Medium
    • Issue: Resource allocation vulnerability.
    • Resolution: Upgraded from 4.1.86.Final to 4.1.108.Final.

  5. io.netty:netty-common

    • Vulnerability: CVE-2024-47535
    • Severity: Medium
    • Issue: Denial of Service on Windows apps.
    • Resolution: Upgraded from 4.1.114.Final to 4.1.115.

  6. org.springframework:spring-beans

    • Vulnerability: CVE-2024-38827
    • Severity: Medium
    • Issue: Authorization bypass for case-sensitive comparisons.
    • Resolution: Upgraded from 6.1.13 to 6.1.14.

  7. org.springframework:spring-context

    • Vulnerabilities:
    • Severity: Medium
    • Issue: Authorization bypass and security fixes for DataBinder.
    • Resolution: Fixed by updating to compatible versions.

  8. org.springframework:spring-web

    • Vulnerability: CVE-2024-38809
    • Severity: Medium
    • Issue: Denial of service in conditional HTTP requests.
    • Resolution: Upgraded to 6.1.12.

Summary

The dependency updates successfully reduced vulnerabilities resolving the critical vulnerability and mitigating key high and medium severity issues. These fixes improve security, reliability, and performance of the application.

Merge request reports