Vulnerability Fixes and Workload Identity Enablement (!618) · Merge requests · OSDU Software / OSDU Data Platform / System / Partition

Daniel Scholl requested to merge vulnerabilities into master Dec 09, 2024

New Feature: Updated OSDU Core Lib Azure supports workload identity capabilities.

Fix: Resolve vulnerabilities in `pom.xml`

This PR highlights the vulnerabilities that have been resolved in pom.xml. Below is the delta of vulnerabilities that were present in the previous scan but are no longer found in the current state.

Resolved Vulnerabilities:

com.azure:azure-identity
- Vulnerability: CVE-2024-35255
- Severity: Medium
- Issue: Azure Identity Libraries Elevation of Privilege Vulnerability
- Resolution: Upgraded from 1.11.2 to 1.12.2.
com.nimbusds:nimbus-jose-jwt
- Vulnerability: CVE-2023-52428
- Severity: Medium
- Issue: Large JWE p2c header value causes Denial of Service
- Resolution: Upgraded from 9.30.2 to 9.37.2.
io.netty:netty-common
- Vulnerability: CVE-2024-47535
- Severity: Medium
- Issue: Denial of Service attack on Windows apps using Netty
- Resolution: Upgraded from 4.1.114.Final to 4.1.115.
org.springframework:spring-beans
- Vulnerability: CVE-2024-38827
- Severity: Medium
- Issue: Authorization bypass for case-sensitive comparisons in Spring Security
- Resolution: Upgraded from 6.1.6 to 6.1.14.
org.springframework:spring-context
- Vulnerability: CVE-2024-38820
- Severity: Medium
- Issue: DataBinder vulnerability related to disallowedFieldspatterns
- Resolution: Addressed through updated libraries.

By resolving these vulnerabilities, the project achieves improved security and mitigates associated risks. Please review and approve this PR.

Vulnerability Fixes and Workload Identity Enablement

New Feature: Updated OSDU Core Lib Azure supports workload identity capabilities.

Fix: Resolve vulnerabilities in pom.xml

Resolved Vulnerabilities:

Merge request reports

Fix: Resolve vulnerabilities in `pom.xml`