Dependency Bumps - Vulnerabilities

Summary

This merge request updates the core-lib-azure dependency version from 2.0.2 to 2.0.4 in the provider/search-azure module.

Changes

Dependencies

• Updated core-lib-azure version from 2.0.2 to 2.0.4 in provider/search-azure/pom.xml.

Security Impact

New Vulnerabilities

Medium Severity:

• CVE-2025-25193 (pom): A vulnerability in io.netty:netty-common version 4.1.116.Final introduced by the updated core-lib-azure dependency. This vulnerability could potentially cause a denial of service in Netty when an unsafe reading of an environment file occurs.

Fixed Vulnerabilities

High Severity:

• CVE-2025-24970 (pom): A vulnerability in io.netty:netty-handler version 4.1.115.Final related to improper packet validation in SslHandler, which could lead to a native crash when using the native SSLEngine. This vulnerability has been fixed in the updated core-lib-azure dependency.

Medium Severity:

• CVE-2025-25193 (pom): The same vulnerability in io.netty:netty-common version 4.1.115.Final has been fixed in the updated core-lib-azure dependency.

Vulnerability Comparison

Fixed Vulnerabilities

HIGH

• CVE-2025-24970 in io.netty:netty-handler 4.1.115.Final (provider/search-azure/pom.xml)

MEDIUM

• CVE-2025-25193 in io.netty:netty-common 4.1.115.Final (provider/search-azure/pom.xml

changed milestone to %M25 - Release 0.28

added Azure ImpactPatch MRDependencies Upgrade Vulnerability Management labels

assigned to @danielscholl

added 1 commit

• 1a1d3629 - FOSSA notice.

Compare with previous version

added 1 commit

• 73dddc86 - FOSSA Update

Compare with previous version

approved this merge request

merged

mentioned in commit 1bd1481f