Update dependencies to fix critical and high severity vulnerabilities #827

ic2hrmk · 2023-01-05T15:57:01Z

Current Behavior

Hi,

There are dependencies imported with High to Critical severity vulnerabilities. Wouldn't you mind bumping its versions?

CVE-2022-1471 [CRITICAL], org.yaml_sankeyaml@1.30
CVE-2022-25857 [HIGH], org.yaml_sankeyaml@1.30
CVE-2022-42003 [HIGH], com.fasterxml.jackson.core_jackson-databind@2.13.4

Expected Behavior

Recommended versions:

org.yaml_sankeyaml@1.31
com.fasterxml.jackson.core_jackson-databind@2.14.0

Steps To Reproduce

No response

Environment

keycloak-config-cli Version: v5.5.0
Java Version: 11

Anything else?

No response

The text was updated successfully, but these errors were encountered:

FraPazGal · 2023-05-23T16:18:42Z

To give a bit more context on this, CVE-2022-1471 actually requires org.yaml_sankeyaml@2.

A couple of new vulnerabilities are also shown when running Trivy on it, CVE-2023-20861 and CVE-2023-20863. These 2 are related to Spring core and should be fixed updating it to 5.3.27.

Could you give more information on whether these vulnerabilities affect the CLI and if there is a plan to address them?

ic2hrmk added the bug label Jan 5, 2023

jonasvoelcker linked a pull request Mar 14, 2024 that will close this issue

Spring Boot 3 and JDK 21 #1001

Open

1 task

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Update dependencies to fix critical and high severity vulnerabilities #827

Update dependencies to fix critical and high severity vulnerabilities #827

ic2hrmk commented Jan 5, 2023

FraPazGal commented May 23, 2023

Update dependencies to fix critical and high severity vulnerabilities #827

Update dependencies to fix critical and high severity vulnerabilities #827

Comments

ic2hrmk commented Jan 5, 2023

Current Behavior

Expected Behavior

Steps To Reproduce

Environment

Anything else?

FraPazGal commented May 23, 2023