Dependency Bumps - Vulnerabilities (!746) · Merge requests · OSDU / OSDU Data Platform / System / Search · GitLab

Daniel Scholl (MS] requested to merge vulnerabilities into master Feb 14, 2025

Summary

This merge request updates the core-lib-azure dependency version from 2.0.2 to 2.0.4 in the provider/search-azure module.

Changes

Dependencies

Updated core-lib-azure version from 2.0.2 to 2.0.4 in provider/search-azure/pom.xml.

Security Impact

New Vulnerabilities

Medium Severity:

CVE-2025-25193 (pom): A vulnerability in io.netty:netty-common version 4.1.116.Final introduced by the updated core-lib-azure dependency. This vulnerability could potentially cause a denial of service in Netty when an unsafe reading of an environment file occurs.

Fixed Vulnerabilities

High Severity:

CVE-2025-24970 (pom): A vulnerability in io.netty:netty-handler version 4.1.115.Final related to improper packet validation in SslHandler, which could lead to a native crash when using the native SSLEngine. This vulnerability has been fixed in the updated core-lib-azure dependency.

Medium Severity:

CVE-2025-25193 (pom): The same vulnerability in io.netty:netty-common version 4.1.115.Final has been fixed in the updated core-lib-azure dependency.

Vulnerability Comparison

Fixed Vulnerabilities

HIGH

CVE-2025-24970 in io.netty:netty-handler 4.1.115.Final (provider/search-azure/pom.xml)

MEDIUM

CVE-2025-25193 in io.netty:netty-common 4.1.115.Final (provider/search-azure/pom.xml