Dependency Bumps - Vulnerabilities (!987) · Merge requests · OSDU / OSDU Data Platform / System / Storage · GitLab

Daniel Scholl (MS] requested to merge vulnerabilities into master Feb 13, 2025

Summary

This merge request updates the version of the core-lib-azure dependency to 2.0.4 in the provider/storage-azure module.

Key Changes

The version of the core-lib-azure dependency has been updated from 2.0.3 to 2.0.4 in the pom.xml file.

Security Impact

This update addresses the following security vulnerability:

CVE-2025-24970 (HIGH Severity): This vulnerability in the io.netty:netty-handler package (version 4.1.116.Final) used by the provider/storage-azure module has been fixed. The issue involved the SslHandler not correctly validating packets, which could lead to a native crash when using the native SSLEngine.
- By updating the core-lib-azure dependency to version 2.0.4, this vulnerability has been addressed and mitigated.

Vulnerability Comparison

Fixed Vulnerabilities

HIGH

CVE-2025-24970 in io.netty:netty-handler 4.1.116.Final (provider/storage-azure/pom.xml)

Edited Feb 13, 2025 by Daniel Scholl (MS]