search

cdk / depict

SMILES Depiction Generator
GNU Lesser General Public License v2.1
54 stars 14 forks source link

vulnerability in trivy scan #37

Closed geNBas closed 2 years ago

geNBas commented 2 years ago
Hi cdk-depict dev team,
a trivy scan found two critical security issues on cdk-depict.. Do you know if the vulnerabilities are accessible via user input? (SMILS, SMARTS,..)
org.springframework:spring-core CVE-2018-1270 CRITICAL 4.2.6.RELEASE 4.3.16, 5.0.5 spring-framework: Possible RCE via spring messaging -->avd.aquasec.com/nvd/cve-2018-1270
CVE-2018-1275 5.0.5, 4.3.16 spring-framework: Address partial fix for CVE-2018-1270 -->avd.aquasec.com/nvd/cve-2018-1275
org.springframework:spring-core CVE-2018-1270 CRITICAL 4.2.6.RELEASE 4.3.16, 5.0.5 spring-framework: Possible RCE via spring messaging -->avd.aquasec.com/nvd/cve-2018-1270
CVE-2018-1275 5.0.5, 4.3.16 spring-framework: Address partial fix for CVE-2018-1270 -->avd.aquasec.com/nvd/cve-2018-1275
johnmay commented 2 years ago

Well we don't use spring messaging :-). I can bump the version though. Is that the final column?

johnmay commented 2 years ago

I've updated to 4.3.30.RELEASE - v5 doesn't work and needs more investigation.