Move os-core-common-spring6 to os-core-common (latest)

Daniel Scholl (MS]requested to merge
vulnerabilities into master

Changes

  • Updated os-core-common version from 0.26.0-rc2 to 3.3.0
  • Updated json-smart version from 2.5.1 to 2.5.2
  • Updated core-lib-azure version from 2.0.3 to 2.0.4
  • Updated os-core-lib-ibm version from 0.26.0-rc8 to 0.27.0-rc3
  • Changed dependency os-core-common-spring6 to os-core-common
  • Updated test case AuthorizationServiceForServiceAdminImplTest to use JWTClaimsSet and JWSObject instead of Jws<Claims>

Security Impact

New Vulnerabilities

High Severity

  • CVE-2025-24970 (pom): Vulnerability in io.netty:netty-handler version 4.1.114.Final where SslHandler doesn't correctly validate packets, leading to potential native crashes when using native SSLEngine. Fixed in version 4.1.118.Final.

Medium Severity

  • CVE-2024-47535 (pom): Denial of Service vulnerability in io.netty:netty-common version 4.1.114.Final on Windows applications due to unsafe reading of environment file. Fixed in version 4.1.115.
  • CVE-2025-25193 (pom): Denial of Service vulnerability in io.netty:netty-common versions up to 4.1.118.Final due to incomplete fix for CVE-2024-47535. Fixed in commit d1fbda62d3a47835d3fb35db8bd42ecc205a5386.

Fixed Vulnerabilities

High Severity

  • CVE-2024-57699: Security issue in net.minidev:json-smart versions 2.5.0 through 2.5.1, fixed by upgrading to version 2.5.2.
  • CVE-2025-24970: Vulnerability in io.netty:netty-handler version 4.1.116.Final, fixed by upgrading to a later version.
Edited by Daniel Scholl (MS]

Merge request reports