Vulnerability Fixing and POM Reorganization
Vulnerability Fix: Updated Dependencies in pom.xml
This update addresses vulnerabilities in various dependencies within pom.xml. Below are the details of the resolved issues, including updated libraries and their respective fixes.
Fixed Vulnerabilities:
-
commons-io:commons-io-
Vulnerabilities:
-
CVE-2024-47554
- Severity: High
-
Issue: Possible denial of service attack on untrusted input to
XmlStreamReader. -
Resolution: Upgraded from
2.4to2.14.0.
-
CVE-2021-29425
- Severity: Medium
-
Issue: Path traversal vulnerability in
commons-ioversions 2.2 to 2.6. -
Resolution: Fixed in version
2.7.
-
CVE-2024-47554
-
Vulnerabilities:
-
io.netty:netty-common- Vulnerability: CVE-2024-47535
- Severity: Medium
- Issue: Denial of Service attack on Windows apps using Netty.
-
Resolution: Upgraded from
4.1.114.Finalto4.1.115.
-
io.lettuce:lettuce-core- Vulnerability: GHSA-q4h9-7rxj-7gx2
- Severity: Medium
- Issue: Vulnerability in Netty included with Redis Lettuce.
-
Resolution: Upgraded from
6.3.2.RELEASEto6.5.1.RELEASE.
-
org.bouncycastle:bcprov-jdk15on-
Vulnerabilities:
-
CVE-2020-15522
- Severity: Medium
- Issue: Timing issue within the EC math library.
-
Resolution: Fixed in version
1.66.
-
CVE-2023-33202
- Severity: Medium
- Issue: Out of memory while parsing ASN.1 crafted data.
-
Resolution: Fixed in version
1.70.
-
CVE-2020-15522
-
Vulnerabilities:
-
software.amazon.ion:ion-java- Vulnerability: CVE-2024-21634
- Severity: High
- Issue: StackOverflow vulnerability in Ion Java.
-
Resolution: Upgraded from
1.2.0to1.10.5.
-
org.springframework.security.oauth:spring-security-oauth2- Vulnerability: CVE-2022-22969
- Severity: Medium
- Issue: Denial of service in Spring Security OAuth2.
-
Resolution: Upgraded from
2.5.1.RELEASEto2.5.2.RELEASE.
Summary
The dependency upgrades have successfully reduced vulnerabilities, eliminating critical vulnerabilities and mitigating several high and medium severity issues. These updates ensure improved security and stability for the project.