Version Bumps - Vulnerabilities

Daniel Scholl (MS]requested to merge
vulnerabilities into master

Summary

This merge request updates the versions of the following dependencies:

  • json-smart from 2.5.1 to 2.5.2 in partition-core/pom.xml
  • core-lib-azure from 2.0.3 to 2.0.4 in provider/partition-azure/pom.xml

Key Modifications

  • The json-smart library version has been updated to 2.5.2 in the partition-core module. This addresses a high-severity vulnerability (CVE-2024-57699) present in the previous version 2.5.1.

  • The core-lib-azure library version has been updated to 2.0.4 in the partition-azure module.

Security Impact Analysis

  • The update to json-smart 2.5.2 fixes a high-severity vulnerability (CVE-2024-57699) that was present in the previous version 2.5.1. This vulnerability posed a security risk and has been mitigated by upgrading to the newer version.

  • Additionally, a high-severity vulnerability (CVE-2025-24970) related to the io.netty:netty-handler package has been fixed in the provider/partition-azure/pom.xml file. This vulnerability could lead to native crashes when using the native SSLEngine and has been addressed in the updated dependencies.

Vulnerability Comparison

Fixed Vulnerabilities

HIGH

  • CVE-2024-57699 in net.minidev:json-smart 2.5.1 (partition-core/pom.xml)
  • CVE-2024-57699 in net.minidev:json-smart 2.5.1 (provider/partition-azure/pom.xml)
  • CVE-2025-24970 in io.netty:netty-handler 4.1.116.Final (provider/partition-azure/pom.xml)

Merge request reports