Latest version uses jacson databind in an version which is vulnerable to two CVEs

cloudfoundry / cf-java-client

Java Client Library for Cloud Foundry

Apache License 2.0

328 stars 318 forks source link

Latest version uses jacson databind in an version which is vulnerable to two CVEs #1169

Closed JuergenSu closed 2 years ago

JuergenSu commented 2 years ago

Hi,

we are using org.cloudfoundry:cloudfoundry-client-reactor:jar:5.9.0.RELEASE and a vulnerability scan reported that a dependecy jacson-databind-2.13.3 is used which is vulnerable to https://nvd.nist.gov/vuln/detail/CVE-2022-42003 and https://nvd.nist.gov/vuln/detail/CVE-2022-42004

is this exploitable via org.cloudfoundry:cloudfoundry-client-reactor:jar:5.9.0.RELEASE ?

Thanks Juergen

dmikusa commented 2 years ago

Can you share details of the scan? What precisely did you scan? An application using the client or the client repo itself or something else?

In general, cf-java-client does have dependencies on other libraries but it's just a library. It's not shading or bundling any dependencies in the jars we ship.

Ultimately you control what version of dependencies are used in your application. Depending on the circumstances you may need to override a transitive dependency version. That usually just means adding a direct dependency for the library in question, in this case Jackson.

We don't require it but recommend using Spring Boot which can help with keeping dependencies up to date. In that case, you may just need to bump your Spring Boot version, which has an updated BOM and will pull in patched dependencies.

JuergenSu commented 2 years ago

HI, We used whitesource/mend to scan an application using org.cloudfoundry:cloudfoundry-client-reactor:jar:5.9.0.RELEASE and that identified jackson databind as a transitive dependency in an vulnerable Version. I can share more details on Monday.

i am just unsure if overwriting is a good idea since it might have other, unpredicted side effects if using a Version that might not be fully compatible. Bu if this is the prefered sollution we will do so.

dmikusa commented 2 years ago

Yes, I believe that should work. Please give it a try.

I was just looking at a sample app based on Spring Boot 2.7.5 to double check and it's pulling in fixed versions of those libraries.

Let me know if you have any issues.

JuergenSu commented 2 years ago

HI,

for what ever reason, my project is now also pulling the correct dependencies. So Sorry for bothering you, this case can be closed, thanks for your patience

dmikusa commented 2 years ago

No worries, thanks for reaching out.