knoobie
commented
3 months ago Please use the latest version - 24.3.7 where the dependency is upgraded.
PS: just because some transitive Dependency is vulnerable, does not mean that your app is.
Open jduan-highnote opened 3 months ago
knoobie
commented
3 months ago Please use the latest version - 24.3.7 where the dependency is upgraded.
PS: just because some transitive Dependency is vulnerable, does not mean that your app is.
mcollovati
commented
3 months ago This has already been fixed in #18923 and also back-ported to 24.3 in #18935 and released with Vaadin 24.3.7
jduan-highnote
commented
3 months ago Wow, that was fast. I still don't see it in maven central https://mvnrepository.com/artifact/com.vaadin/flow-server but I suspect it might show up a bit later?
mcollovati
commented
3 months ago It is already on Maven central
https://central.sonatype.com/artifact/com.vaadin/flow-server/24.3.7
jduan-highnote
commented
3 months ago Is it expected that https://mvnrepository.com/ is behind by a few hours?
mcollovati
commented
3 months ago AFAIK mvnepository is not officially related to maven central, and I don't know what synchronization policies it has
jduan-highnote
commented
3 months ago Cool. Thanks again for the super fast response!
samie
commented
3 weeks ago Now sure if I should create a new issue instead, but version flow-server 2.10.5 (i.e. latest Vaadin 14.11.11) still depends on org.apache.commons:commons-compress:jar:1.21 and that shows up in security scanners.
https://github.com/vaadin/flow/blob/2.10/flow-server/pom.xml#L134
Edit: For some reason the version is different if not using CDI and org.apache.commons:commons-compress:jar:1.24 is used.
Description of the bug
See this CVE:
https://nvd.nist.gov/vuln/detail/CVE-2024-25710#range-10353751. "flow-server" depends on 1.25.0 of commons-compress which still has the CVE.
Expected behavior
Have no dependencies with CVEs.
Minimal reproducible example
n/a
Versions