search

taoensso / faraday

Amazon DynamoDB client for Clojure
https://www.taoensso.com/faraday
Eclipse Public License 1.0
238 stars 84 forks source link

Vulnerability CVE-2024-21634 #169

Closed kevin-ewing closed 3 months ago

kevin-ewing commented 3 months ago

Vulnerable path found through com.taoensso:faraday@1.12.0 > com.amazonaws:aws-java-sdk-dynamodb@1.12.410 > com.amazonaws:aws-java-sdk-core@1.12.410 > software.amazon.ion:ion-java@1.0.2

CVE Record Snyk Report

joelittlejohn commented 3 months ago

Fixed by 0de2499e116c7f9fe1b9f3751891dcc86994eb1e. Thanks!

kevin-ewing commented 3 months ago

@joelittlejohn The issue still persists in com.amazonaws/aws-java-sdk-dynamodb "1.12.581" through com.taoensso:faraday@1.12.1 > com.amazonaws:aws-java-sdk-dynamodb@1.12.581 > com.amazonaws:aws-java-sdk-core@1.12.581 > software.amazon.ion:ion-java@1.0.2.

joelittlejohn commented 3 months ago

Oh thanks, sorry my mistake. I managed to miss this via lein deps :tree :facepalming: Let me sort his out.

joelittlejohn commented 3 months ago

@kevin-ewing Fixed with 1.12.2 (47dfdef607e697844768b0605ec12657386a20dc).