TheJuanAndOnly99
commented
1 year ago /easycla
Closed robmoffat closed 1 year ago
TheJuanAndOnly99
commented
1 year ago /easycla
jarias-lfx
commented
1 year ago /easycla
robmoffat
commented
1 year ago @maoo @vaibhav-db
this basically works now, except that there is a new critical CVE for Spring Boot and so our white source / Dependency Checks are failing.
Once a new version gets published we can release. Please review + approve.
maoo
commented
1 year ago @robmoffat - apparently spring-web-5.3.26.jar is affected by CVE-2016-1000027 , which states:
Pivotal Spring Framework through 5.3.16 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. Depending on how the library is implemented within a product, this issue may or not occur, and authentication may be required. NOTE: the vendor's position is that untrusted data is not an intended use case. The product's behavior will not be changed because some users rely on deserialization of trusted data.
If you don't use spring-web for deserialization of untrusted data (that is, data that is manually entered), I'd suggest to add this to allow-list.xml with a note that explains why the CVE can be safely ignored; see https://nvd.nist.gov/vuln/detail/cve-2016-1000027
robmoffat
commented
1 year ago @vaibhav-db let's review. Also took out white source for future PRs
The committers listed above are authorized under a signed CLA.