search

neuland / pug4j

a pug implementation written in Java (formerly known as jade)
MIT License
61 stars 12 forks source link

Vulnerability in 3rd party dependency "org.graalvm.sdk:graal-sdk" (update needed) #20

Closed dbelyaev closed 1 year ago

dbelyaev commented 1 year ago

The current version of pug4j (pug4j-2.0.6) is utilizing an outdated dependency, org.graalvm.sdk:graal-sdk@21.3.0, which is known to have vulnerabilities:

SEVERITY VULNERABILITY CWE CVE SNYK CVS SCORE INTRODUCED IN FIXED IN
HIGH Access Restriction Bypass CWE-284 CVE-2022-21449 SNYK-JAVA-ORGGRAALVMSDK-2767964 CVSS 7.5 org.graalvm.sdk:graal-sdk@21.3.0 org.graalvm.sdk:graal-sdk@20.3.6, @21.3.2, @22.1.0
HIGH Information Exposure CWE-20 CVE-2022-21476 SNYK-JAVA-ORGGRAALVMSDK-2769618 CVSS-7.5 org.graalvm.sdk:graal-sdk@21.3.0 org.graalvm.sdk:graal-sdk@20.3.6, @21.3.2, @22.1.0
HIGH Information Exposure CWE-924 CVE-2023-21930 SNYK-JAVA-ORGGRAALVMSDK-5457933 CVSS 7.4 org.graalvm.sdk:graal-sdk@21.3.0 org.graalvm.sdk:graal-sdk@20.3.6, @21.3.2, @22.1.0

The version 23.1.0 is already available (link: https://central.sonatype.com/artifact/org.graalvm.sdk/graal-sdk); however, it appears that this version does not support Java 1.8 (v8). Upgrading is not straightforward, and it may be a better approach to address the issues by utilizing a patched version from the same minor tree: 21.3.2.

chbloemer commented 1 year ago

Fixed in 2.1.0