Dependency Bumps - Vulnerabilities

Daniel Scholl (MS]requested to merge
vulnerabilities into master

Summary

This change updates the core-lib-azure.version from 2.0.2 to 2.0.4 in the provider/indexer-azure module.

Key Modifications

  • The version of the core-lib-azure dependency has been updated from 2.0.2 to 2.0.4.

Security Impact

New Vulnerabilities

  • Medium Severity: CVE-2025-25193 - A potential denial of service vulnerability in the io.netty:netty-common package (version 4.1.116.Final) due to an unsafe reading of environment files.

Fixed Vulnerabilities

  • High Severity:

    • CVE-2024-50379 - A remote code execution vulnerability in the org.apache.tomcat.embed:tomcat-embed-core package (version 10.1.33) due to a TOCTOU issue in JSP compilation.
    • CVE-2024-56337 - An incomplete fix for CVE-2024-50379 in the org.apache.tomcat.embed:tomcat-embed-core package (version 10.1.33).

  • Medium Severity:

    • CVE-2025-24970 - A vulnerability in the io.netty:netty-handler package (versions 4.1.115.Final and 4.1.116.Final) where the SslHandler does not correctly validate packets, potentially leading to a native crash when using the native SSLEngine.
    • CVE-2025-25193 - A potential denial of service vulnerability in the io.netty:netty-common package (version 4.1.115.Final) due to an unsafe reading of environment files.

Vulnerability Comparison

Fixed Vulnerabilities

HIGH

  • CVE-2024-50379 in org.apache.tomcat.embed:tomcat-embed-core 10.1.33 (provider/indexer-azure/pom.xml)
  • CVE-2024-56337 in org.apache.tomcat.embed:tomcat-embed-core 10.1.33 (provider/indexer-azure/pom.xml)
  • CVE-2025-24970 in io.netty:netty-handler 4.1.115.Final (pom.xml)
  • CVE-2025-24970 in io.netty:netty-handler 4.1.115.Final (provider/indexer-azure/pom.xml)

MEDIUM

  • CVE-2025-25193 in io.netty:netty-common 4.1.115.Final (pom.xml)
  • CVE-2025-25193 in io.netty:netty-common 4.1.115.Final (provider/indexer-azure/pom.xml)

Merge request reports