Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Transitive dependency on commons-io 2.2, which is vulnerable #488

Closed
bogdanb opened this issue Dec 2, 2022 · 4 comments
Closed

Transitive dependency on commons-io 2.2, which is vulnerable #488

bogdanb opened this issue Dec 2, 2022 · 4 comments
Assignees
@deki
Labels
CVE Critical security vulnerability in dependencies

Comments

@bogdanb
Copy link

bogdanb commented Dec 2, 2022

Serverless Java Container version: 1.9

Implementations: Spring Boot 2

Framework version: SpringBoot 2.6.6

Frontend service: N/A

Deployment method: N/A

Scenario

I’m using com.amazonaws.serverless:aws-serverless-java-container-springboot2:1.9 in a project, built using Gradle if it matters. This pulls in commons-io:2.2 via the following chain:

  • (root project)
  • com.amazonaws.serverless:aws-serverless-java-container-springboot2:1.9
  • com.amazonaws.serverless:aws-serverless-java-container-core:1.9
  • commons-fileupload:commons-fileupload:1.4
  • commons-io:commons-io:2.2

The release notes for version 1.8 contain the claim:

Explicitly set commons-io version to 2.11.0 to avoid older transitive dependency version (CVE-2021-29425)

But that does not seem to work. I actually looked through the pom.xml files for both 1.8 and 1.9 and I can’t find any trace of this. Maybe a relevant commit was accidentally dropped?
@bogdanb bogdanb changed the title Transitive dependency on commons-io version to 2.11.0 to avoid older transitive dependency version Transitive dependency on commons-io 2.2, which is vulnerable Dec 2, 2022
@deki
Copy link
Collaborator

deki commented Dec 2, 2022

Thanks for raising it, the change is here: https://github.com/awslabs/aws-serverless-java-container/blob/main/aws-serverless-java-container-core/pom.xml#L103
Will take a closer look next week...

@deki deki self-assigned this Dec 2, 2022
@deki
Copy link
Collaborator

deki commented Dec 7, 2022

Asked for a new fileupload release: https://lists.apache.org/thread/t6zqknf84gkk0dr359hmf4okf57shvd6

Waiting for a response, otherwise will manage the dependency explicitly.

deki added a commit that referenced this issue Dec 8, 2022
@deki
chore(deps): Explicitly add more recent commons-io version (#488)
d84a418
@deki
Copy link
Collaborator

deki commented Dec 8, 2022

Next commons-fileupload release will happen next year so for now I added the dependency explicitly.

@deki deki added the CVE Critical security vulnerability in dependencies label Dec 13, 2022
@deki
Copy link
Collaborator

deki commented Dec 14, 2022

Released as part of version 1.9.1.

@deki deki closed this as completed Dec 14, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@deki deki

Labels
CVE Critical security vulnerability in dependencies
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@bogdanb @deki