Move os-core-common-spring6 to os-core-common (latest) (!739) · Merge requests · OSDU / OSDU Data Platform / System / Schema · GitLab

Daniel Scholl (MS] requested to merge vulnerabilities into master Feb 13, 2025

Changes

Updated os-core-common version from 0.26.0-rc2 to 3.3.0
Updated json-smart version from 2.5.1 to 2.5.2
Updated core-lib-azure version from 2.0.3 to 2.0.4
Updated os-core-lib-ibm version from 0.26.0-rc8 to 0.27.0-rc3
Changed dependency os-core-common-spring6 to os-core-common
Updated test case AuthorizationServiceForServiceAdminImplTest to use JWTClaimsSet and JWSObject instead of Jws<Claims>

Security Impact

New Vulnerabilities

High Severity

CVE-2025-24970 (pom): Vulnerability in io.netty:netty-handler version 4.1.114.Final where SslHandler doesn't correctly validate packets, leading to potential native crashes when using native SSLEngine. Fixed in version 4.1.118.Final.

Medium Severity

CVE-2024-47535 (pom): Denial of Service vulnerability in io.netty:netty-common version 4.1.114.Final on Windows applications due to unsafe reading of environment file. Fixed in version 4.1.115.
CVE-2025-25193 (pom): Denial of Service vulnerability in io.netty:netty-common versions up to 4.1.118.Final due to incomplete fix for CVE-2024-47535. Fixed in commit d1fbda62d3a47835d3fb35db8bd42ecc205a5386.

Fixed Vulnerabilities

High Severity

CVE-2024-57699: Security issue in net.minidev:json-smart versions 2.5.0 through 2.5.1, fixed by upgrading to version 2.5.2.
CVE-2025-24970: Vulnerability in io.netty:netty-handler version 4.1.116.Final, fixed by upgrading to a later version.

Edited Feb 13, 2025 by Daniel Scholl (MS]