Version Bumps - Vulnerabilities (!371) · Merge requests · OSDU / OSDU Data Platform / System / Lib / cloud / azure / OS Core Lib Azure · GitLab

Daniel Scholl (MS] requested to merge vulnerabilities into master Feb 13, 2025

Summary

This merge request updates the versions of several dependencies and introduces security fixes.

Key Modifications

Update azure-sdk-bom.version from 1.2.30 to 1.2.31
Update azure-spring-boot.version from 5.18.0 to 5.19.0
Add netty.version property set to 4.1.118.Final
Override netty-handler dependency version to 4.1.118.Final
Add json-smart dependency with version 2.5.2

Technical Details

The netty-handler dependency version is overridden to 4.1.118.Final to address the CVE-2024-24970 vulnerability in Netty before 4.1.108, which could lead to HTTP Request Smuggling, cache poisoning, security bypass, and request forgery.
The json-smart dependency is added with version 2.5.2 to fix the CVE-2024-57699 vulnerability in versions before 2.5.2, which were susceptible to Denial of Service (DoS) attacks.