Skip to content

Dependency Bumps

Daniel Scholl (MS] requested to merge vulnerabilities into master

Merge Request: Dependency updates

Summary

Version tracking for all packages in pom.xml with updates noted.

Parent Properties

Package Original Update
spring-framework 6.2.0 6.2.1
spring-boot-dependencies 3.4.0 3.4.1
azure-sdk-bom 1.2.30 1.2.30
azure-spring-boot 5.18.0 5.18.0
microsoft-graph 6.23.0 6.23.0
azure.appinsights 3.6.2 3.6.2
azure-servicebus 3.6.7 3.6.7
azure-eventgrid 1.4.0 1.4.0
io.micrometer 1.14.1 1.14.1
jakarta.servlet 6.0.0 6.0.0
jakarta.inject 2.0.1 2.0.1
json 20231013 20231013
log4j-slf4j-impl 2.24.2 2.24.2
resilience4j 2.0.0 2.0.0
redisson 3.40.2 3.40.2
guava 33.3.1-jre 33.3.1-jre
surefire-plugin 2.22.2 2.22.2
jacoco-plugin 0.8.8 0.8.8
checkstyle-plugin 3.1.0 3.1.0
lettuce 6.5.1.RELEASE 6.5.1.RELEASE

Resolved Vulnerabilities

  1. org.springframework.boot:spring-boot-dependencies
  • Vulnerability: CVE-2024-56337
    • Severity: High
    • Issue: Incomplete fix for CVE-2024-50379 - RCE due to TOCTOU issue in JSP compilation
    • Resolution: Upgraded from 3.4.0 to 3.4.1
  • Vulnerability: CVE-2024-50379
    • Severity: High
    • Issue: Remote Code Execution due to TOCTOU issue in JSP compilation
    • Resolution: Upgraded from 3.4.0 to 3.4.1

Merge request reports

Loading