Closed leslievandemark closed 1 month ago
As reported by Grype:
clojure 1.11.1 java-archive CVE-2024-22871 High
clojure 1.11.1 1.11.2 java-archive GHSA-vr64-r9qj-h27f High
Leiningen version: 2.11.2.
Thanks, but this is not a legitimate vulnerability, as triggering it requires using Java serialization on untrusted input, which is already inherently unsafe and can easily result in much worse problems than a DoS:
Deserializing untrusted data, especially from an unknown, untrusted, or unauthenticated client, is an inherently dangerous activity because the content of the incoming data stream determines the objects that are created, the values of their fields, and the references between them. By careful construction of the stream, an adversary can run code in arbitrary classes with malicious intent.
https://docs.oracle.com/en/java/javase/21/core/addressing-serialization-vulnerabilities.html
You should update your security scans to ignore it, because it is flagrantly incorrect.
Sure, often these automatically reported CVEs are not reachable.
But it would be more convenient for the users if Clojure is bumped by a minor version in Lein instead of investigating the details of the CVE and suppressing it in the tools such as Grype. Plus for example, in my case it's currently not easy to suppress the CVE specifically for the Lein jar and not for the greater number of scanned artifacts.
So it would be great if Clojure is bumped in the next scheduled release unless there's some obstacle.
Hello, CVE-2024-22871 is fixed in clojure version
1.11.2
, and the base version used in the current leiningen release is1.11.1
. This is causing a security scan to fail, since the latest clojure docker image pulls in a jar for leiningen2.11.2
with clojure version1.11.1
installed. Could the default clojure version be bumped? thank you.