CVE-2022-22965 - Remote Code Execution in micronaut-data-spring-jpa

micronaut-projects / micronaut-data

Ahead of Time Data Repositories

Apache License 2.0

466 stars 197 forks source link

CVE-2022-22965 - Remote Code Execution in micronaut-data-spring-jpa #1417

Closed Calieston closed 2 years ago

Calieston commented 2 years ago

Hey, is there already a fix planned for current spring security vulnerabilities? We currently use micronaut-data-spring-jpa and I could not find a fix in the latest releases.

Expected Behavior

No security vulnerabilties when using micronaut-data-spring-jpa

Recommendation from Snyk: Upgrade org.springframework:spring-beans to version 5.2.20, 5.3.18 or higher.

Actual Behaviour

Snyk Finding CVE-2022-22965 - Remote Code Execution in micronaut-data-spring-jpa

Version

3.0.3

graemerocher commented 2 years ago

You can manually upgrade Spring, however do not that non of the binding code where this vulnerability is exploitable is exposed or used by Micronaut

graemerocher commented 2 years ago

https://github.com/micronaut-projects/micronaut-data/pull/1418