search

apache / incubator-hugegraph

A graph database that supports more than 100+ billion data, high performance and scalability (Include OLTP Engine & REST-API & Backends)
https://hugegraph.apache.org
Apache License 2.0
2.58k stars 512 forks source link

[Question] Vulnerability found in dependency: CVE-2022-42889 9.8 Transitive Improper Control of Generation of Code ("Code Injection") vulnerability with High severity found #2555

Closed liming1010 closed 3 weeks ago

liming1010 commented 3 weeks ago

Problem Type (问题类型)

others (please edit later)

Before submit

Environment (环境信息)

Your Question (问题描述)

1.3版本的java客户端,出现 Vulnerability found in dependency: CVE-2022-42889 9.8 Transitive Improper Control of Generation of Code ("Code Injection") vulnerability with High severity found 经查询,这是个洞 QQ截图20240607160825

Vertex/Edge example (问题点 / 边数据举例)

No response

Schema [VertexLabel, EdgeLabel, IndexLabel] (元数据结构)

No response

dosubot[bot] commented 3 weeks ago

To address the CVE-2022-42889 vulnerability in the HugeGraph Java client version 1.3, you need to update the Apache Commons Text library to version 1.10.0 or later. This vulnerability is related to the Apache Commons Text library, which is used for string interpolation and can be exploited if not properly updated.

Here is how you can update the dependency in your pom.xml file if you are using Maven:

<dependency>
    <groupId>org.apache.commons</groupId>
    <artifactId>commons-text</artifactId>
    <version>1.10.0</version>
</dependency>

If you are using Gradle, you can update the dependency in your build.gradle file:

implementation 'org.apache.commons:commons-text:1.10.0'

Make sure to rebuild your project after updating the dependency to ensure that the new version is being used [1].

To continue talking to Dosu, mention @dosu.

liming1010 commented 3 weeks ago

ok, thanks