Vulnerability Fixes for Parent POM.
Merge Request: Resolve Vulnerabilities in pom.xml
Summary
This Merge Request addresses the vulnerabilities identified in the pom.xml file by upgrading affected libraries to their respective fixed versions. Below are the details of resolved vulnerabilities and the updated dependency versions.
Resolved Vulnerabilities:
1. io.netty:netty-common
- Vulnerability: CVE-2024-47535
- Severity: Medium
- Issue: Denial of Service attack vulnerability on Windows applications using Netty
-
Resolution: Upgraded from
4.1.114.Finalto4.1.115
2. org.apache.tomcat.embed:tomcat-embed-core
- Vulnerability: CVE-2024-50379
- Severity: High
- Issue: Remote Code Execution due to TOCTOU issue in JSP compilation
-
Resolution: Upgraded from
10.1.31to10.1.34
3. org.springframework:spring-beans (and related Spring components)
- Vulnerability: CVE-2024-38827
- Severity: Medium
- Issue: Authorization bypass for case-sensitive comparisons
-
Resolution: Upgraded from
6.1.13to6.1.14
4. org.springframework:spring-context
- Vulnerability: CVE-2024-38820
- Severity: Medium
- Issue: DataBinder security vulnerability
-
Resolution: Upgraded from
6.1.13to6.1.14
5. org.springframework:spring-webmvc
- Vulnerability: CVE-2024-38819
- Severity: High
- Issue: Path traversal vulnerability in functional web frameworks
-
Resolution: Upgraded from
6.1.13to6.1.14
Scan Results Before and After:
Before Fix
- Total Vulnerabilities: 19
- Unknown: 0, Low: 2, Medium: 12, High: 5, Critical: 0
After Fix
- Total Vulnerabilities: 11
- Unknown: 0, Low: 2, Medium: 6, High: 3, Critical: 0
Details of Vulnerability Delta:
The following vulnerabilities have been resolved as part of this Merge Request:
- io.netty:netty-common (CVE-2024-47535)
- org.apache.tomcat.embed:tomcat-embed-core (CVE-2024-50379)
- org.springframework:spring-beans (CVE-2024-38827)
- org.springframework:spring-context (CVE-2024-38820)
- org.springframework:spring-context (CVE-2024-38827)
- org.springframework:spring-core (CVE-2024-38827)
- org.springframework:spring-expression (CVE-2024-38827)
- org.springframework:spring-webmvc (CVE-2024-38819)