Skip to content

Vulnerabilities and POM updates.

Daniel Scholl requested to merge vulnerabilities into master

Vulnerability Fix: Updated Libraries in pom.xml

This PR addresses several critical, high, and medium-severity vulnerabilities by updating dependencies in the pom.xml file. Below are the resolved issues and the details of the updates:

Fixed Vulnerabilities:

  1. com.azure:azure-identity

    • Vulnerability: CVE-2024-35255
    • Severity: Medium
    • Issue: Elevation of privilege in Azure Identity Libraries.
    • Resolution: Upgraded from 1.0.1 to 1.12.2.

  2. com.google.protobuf:protobuf-java

    • Vulnerability: CVE-2024-7254
    • Severity: High
    • Issue: StackOverflow vulnerability in Protocol Buffers.
    • Resolution: Upgraded from 3.24.4 to 3.25.5.

  3. com.nimbusds:nimbus-jose-jwt

    • Vulnerability: CVE-2023-52428
    • Severity: High
    • Issue: Denial of Service due to large p2c header values.
    • Resolution: Upgraded from 7.9 to 9.37.2.

  4. com.squareup.okio:okio

    • Vulnerability: CVE-2023-3635
    • Severity: Medium
    • Issue: Improper exception handling in GzipSource class.
    • Resolution: Upgraded from 2.7.0 to 3.4.0.

  5. org.apache.commons:commons-compress

    • Vulnerabilities:
      • CVE-2024-25710
        • Severity: High
        • Issue: Denial of Service caused by infinite loops with corrupted input.
      • CVE-2024-26308
        • Severity: Medium
        • Issue: OutOfMemoryError when unpacking broken Pack200 files.
    • Resolution: Upgraded from 1.21 to 1.26.0.

  6. io.lettuce:lettuce-core

    • Vulnerability: GHSA-q4h9-7rxj-7gx2
    • Severity: Medium
    • Issue: Vulnerability in Netty included with Redis Lettuce.
    • Resolution: Upgraded from 6.3.2.RELEASE to 6.5.1.RELEASE.

  7. io.netty:netty-common

    • Vulnerability: CVE-2024-47535
    • Severity: Medium
    • Issue: Denial of Service attack on Windows apps using Netty.
    • Resolution: Upgraded from 4.1.114.Final to 4.1.115.

  8. software.amazon.ion:ion-java

    • Vulnerability: CVE-2024-21634
    • Severity: High
    • Issue: StackOverflow vulnerability in Ion Java.
    • Resolution: Upgraded from 1.2.0 to 1.10.5.

  9. org.springframework:spring-beans

    • Vulnerability: CVE-2024-38827
    • Severity: Medium
    • Issue: Authorization bypass for case-sensitive comparisons in Spring Security.
    • Resolution: Upgraded to 6.1.14.

  10. org.xerial.snappy:snappy-java

    • Vulnerabilities:
      • CVE-2023-34455
        • Severity: High
        • Issue: Unchecked chunk length leading to DoS.
      • CVE-2023-43642
        • Severity: High
        • Issue: Missing upper-bound check on chunk length.
      • CVE-2023-34453
        • Severity: Medium
        • Issue: Integer overflow in shuffle leading to DoS.
    • Resolution: Upgraded from 1.1.8.4 to 1.1.10.4.

Summary

The updates have successfully reduced the total vulnerabilities resolving critical issues and several high and medium-severity vulnerabilities. This significantly enhances the project's security posture.

Merge request reports