search

google / guice

Guice (pronounced 'juice') is a lightweight dependency injection framework for Java 11 and above, brought to you by Google.
https://github.com/google/guice
Apache License 2.0
12.5k stars 1.67k forks source link

Is guice impacted by Spring4shell security vulnerabilities? #1621

Open embedsri opened 2 years ago

embedsri commented 2 years ago

https://tanzu.vmware.com/security/cve-2022-22963 https://tanzu.vmware.com/security/cve-2022-22965

wendigo commented 2 years ago

@embedsri No.

embedsri commented 2 years ago

Thank you for the clarification.

We use guice as part of our Android 9 build and it has this external/guice/extensions/spring/pom.xml:

<?xml version="1.0" encoding="UTF-8"?>

4.0.0 com.google.inject.extensions extensions-parent 4.0 guice-spring Google Guice - Extensions - Spring org.springframework spring-beans 3.0.5.RELEASE provided

"external/guice/extensions/spring/pom.xml" Can you confirm that this won't be affected by the Spring4shell vulnerability?

On Thu, Apr 7, 2022 at 3:25 PM wendigo @.***> wrote:

@embedsri https://github.com/embedsri No.

— Reply to this email directly, view it on GitHub https://github.com/google/guice/issues/1621#issuecomment-1092118577, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABRHDMBOM6Z2OCNERO3NM53VD4ZBRANCNFSM5S2IOVVA . You are receiving this because you were mentioned.Message ID: @.***>

GedMarc commented 2 years ago

According to the ticket, if you are importing spring from this pom, and using JDK 9, then yes, it is affected -

GedMarc commented 2 years ago 
Severity is critical unless otherwise noted.

Spring Framework
5.3.0 to 5.3.17
5.2.0 to 5.2.19
Older, unsupported versions are also affected