Transitive vulnerable dependency

zonkyio / embedded-database-spring-test

A library for creating isolated embedded databases for Spring-powered integration tests.

Apache License 2.0

399 stars 37 forks source link

Closed palhoye closed 4 months ago

palhoye commented 5 months ago

Checkmarx reports the following transitive vulnerability via Gradle for "io.zonky.test:embedded-database-spring-test:2.5.0":

Provides transitive vulnerable dependency maven:org.apache.commons:commons-compress:1.24.0

CVE-2024-26308 7.5 Allocation of Resources Without Limits or Throttling vulnerability with High severity found
CVE-2024-25710 5.5 Loop with Unreachable Exit Condition ("Infinite Loop") vulnerability with Medium severity found

tomix26 commented 5 months ago

Thank you for the report. The fix has just been merged into the affected library here: https://github.com/zonkyio/embedded-postgres/pull/128