CVE-2023-50572: Found this vulnerability in scala-compiler-2.13.12

[devanshraghuvanshi]

Reproduction steps

scala-compiler-2.13.12 has jline-3.22.0.jar as a dependency which is having vulnerabilty: https://www.mend.io/vulnerability-database/CVE-2023-50572.

Problem

How can we remediate this vulnerability (https://www.mend.io/vulnerability-database/CVE-2023-50572).

Also, 2.13.13 version of scala compiler which is using jline 3.24.1 is also vulnerable and it needs to be shifted to above jline version 3.25.0.

[lrytz]

IIUC, the corresponding bug (https://github.com/jline/jline3/issues/909) is in GroovyEngine, which we don't use. That class is even in a separate artifact org.jline:jline-groovy which we don't depend on.

If there's a way this bug can be triggered in Scala, please re-open.

[SethTisue]

I second Lukas that the vulnerable class does not exist in the JAR we depend on.

Regardless, we expect to release Scala 2.13.14 soon, like within the next few weeks, and it will include the JLine 3.25.1 upgrade, as per https://github.com/scala/bug/issues/12933 . So at that point even the appearance of an issue will vanish.