robert-gdv
commented
2 weeks ago Apparently fixed in https://github.com/prometheus/client_java/pull/1008 I am waiting for a release.
Open robert-gdv opened 2 weeks ago
robert-gdv
commented
2 weeks ago Apparently fixed in https://github.com/prometheus/client_java/pull/1008 I am waiting for a release.
robert-gdv
commented
2 weeks ago On the other hand: That was an automated update. I am not sure that dependabot understands the shading. Shouldn't it update also the protobuf.version.string variable?
zeitlinger
commented
2 weeks ago I've created https://github.com/prometheus/client_java/pull/1063 to address this
Sonatype reports CVE-2024-7254 on io.prometheus : prometheus-metrics-shaded-protobuf with a CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N Score of 8.7.
It is reported, that all Versions of prometheus-metrics-shaded-protobuf until 1.3.1 included are affected. There is currently no unaffected Version of prometheus-metrics-shaded-protobuf available while the unshaded library protobuf-java was already fixed.
See also https://github.com/advisories/GHSA-735f-pc8j-v9w8