Vulnerability Fixing and POM Reorganization

Daniel Scholl (MS]requested to merge
vulnerabilities into master

Fix: Resolve vulnerabilities in pom.xml

This PR addresses vulnerabilities in multiple libraries, including critical and high-severity issues. Below is the delta of vulnerabilities that were present in the previous scan but have been resolved in the current state.

Resolved Vulnerabilities:

  1. com.azure:azure-identity

    • Vulnerability: CVE-2024-35255
      • Severity: Medium
      • Issue: Azure Identity Libraries Elevation of Privilege Vulnerability.
      • Resolution: Upgraded from 1.11.2 to 1.12.2.

  2. com.nimbusds:nimbus-jose-jwt

    • Vulnerability: CVE-2023-52428
      • Severity: High
      • Issue: Large JWE p2c header value causes Denial of Service.
      • Resolution: Upgraded from 9.30.2 to 9.37.2.

  3. org.asynchttpclient:async-http-client

    • Vulnerability: CVE-2024-53990
      • Severity: Critical
      • Issue: CookieStore replaces explicitly defined cookies, leading to potential security issues.
      • Resolution: Upgraded from 2.12.1 to 2.12.4.

  4. io.lettuce:lettuce-core

    • Vulnerability: GHSA-q4h9-7rxj-7gx2
      • Severity: Medium
      • Issue: Netty vulnerability included in Redis Lettuce.
      • Resolution: Upgraded from 6.3.2.RELEASE to 6.5.1.RELEASE.

By upgrading these libraries to their secure versions, this PR significantly improves the project's security posture by mitigating critical and high-risk vulnerabilities. Please review and approve.

Merge request reports