Vulnerability Fixing and POM reorganization
Vulnerability Fix: Updates to Dependencies in pom.xml
This update addresses various vulnerabilities identified in pom.xml by upgrading affected libraries. Below are the details of the resolved vulnerabilities, highlighting fixed versions and their security improvements.
Fixed Vulnerabilities:
-
com.nimbusds:nimbus-jose-jwt- Vulnerability: CVE-2023-52428
- Severity: High
-
Issue: Large JWE
p2cheader value causes Denial of Service. -
Resolution: Upgraded from
7.9to9.37.2.
-
commons-io:commons-io- Vulnerability: CVE-2024-47554
- Severity: High
-
Issue: Denial of service attack via untrusted input to
XmlStreamReader. -
Resolution: Upgraded from
2.7to2.14.0.
-
io.lettuce:lettuce-core- Vulnerability: GHSA-q4h9-7rxj-7gx2
- Severity: Medium
- Issue: Vulnerabilities in Netty dependency.
-
Resolution: Upgraded from
6.3.2.RELEASEto6.5.1.RELEASE.
-
io.netty:netty-codec-http- Vulnerability: CVE-2024-29025
- Severity: Medium
- Issue: Resource allocation vulnerability.
-
Resolution: Upgraded from
4.1.86.Finalto4.1.108.Final.
-
io.netty:netty-common- Vulnerability: CVE-2024-47535
- Severity: Medium
- Issue: Denial of Service on Windows apps.
-
Resolution: Upgraded from
4.1.114.Finalto4.1.115.
-
org.springframework:spring-beans- Vulnerability: CVE-2024-38827
- Severity: Medium
- Issue: Authorization bypass for case-sensitive comparisons.
-
Resolution: Upgraded from
6.1.13to6.1.14.
-
org.springframework:spring-context- Vulnerabilities:
- Severity: Medium
-
Issue: Authorization bypass and security fixes for
DataBinder. - Resolution: Fixed by updating to compatible versions.
-
org.springframework:spring-web- Vulnerability: CVE-2024-38809
- Severity: Medium
- Issue: Denial of service in conditional HTTP requests.
-
Resolution: Upgraded to
6.1.12.
Summary
The dependency updates successfully reduced vulnerabilities resolving the critical vulnerability and mitigating key high and medium severity issues. These fixes improve security, reliability, and performance of the application.