Skip to content

Vulnerability Fixes.

Daniel Scholl (MS] requested to merge vulnerabilities into master

Bug: Nano Duration Logging bug fix.

Fix: Address vulnerabilities in partition:latest

This PR resolves vulnerabilities identified in the partition:latest image and associated Java dependencies.

Vulnerabilities Fixed:

  1. io.lettuce:lettuce-core (app.jar)

    • Vulnerability: GHSA-q4h9-7rxj-7gx2
    • Severity: Medium
    • Issue: Netty vulnerability included in Redis lettuce
    • Resolution: Upgraded from 6.3.2.RELEASE to 6.5.1.RELEASE.

  2. io.netty:netty-common (app.jar)

    • Vulnerability: CVE-2024-47535
    • Severity: Medium
    • Issue: Denial of Service attack on Windows apps using Netty
    • Resolution: Upgraded from 4.1.109.Final to 4.1.115.

  3. org.apache.tomcat.embed:tomcat-embed-core (app.jar)

    • Vulnerability: CVE-2024-34750
    • Severity: High
    • Issue: Improper Handling of Exceptional Conditions in Tomcat
    • Resolution: Upgraded from 10.1.20 to 10.1.25.

  4. org.springframework.security:spring-security-web (app.jar)

    • Vulnerability: CVE-2024-38821
    • Severity: Critical
    • Issue: Authorization Bypass of Static Resources in Spring WebFlux Applications
    • Resolution: Upgraded from 6.2.4 to 6.2.7.

  5. org.springframework:spring-beans (app.jar)

    • Vulnerability: CVE-2024-38827
    • Severity: Medium
    • Issue: Authorization bypass for case-sensitive comparisons in Spring Security
    • Resolution: Upgraded from 6.1.6 to 6.1.14.

  6. org.springframework:spring-web (app.jar)

    • Vulnerability: CVE-2024-38809
    • Severity: Medium
    • Issue: DoS via conditional HTTP requests in Spring Framework
    • Resolution: Upgraded to 6.0.23.

  7. org.springframework:spring-webmvc (app.jar)

    • Vulnerability: CVE-2024-38816
    • Severity: High
    • Issue: Path Traversal Vulnerability in Spring Applications Using RouterFunctions and FileSystemResource
    • Resolution: Upgraded to 6.1.13.
Edited by Daniel Scholl (MS]

Merge request reports