This site uses cookies. Visit our cookies policy page or click the link in any footer for more information and to change your preferences.

Accept all cookies Accept only essential cookies

Code development platform for open source projects from the European Union institutions :large_blue_circle: EU Login authentication by SMS has been phased out. To see alternatives please check here

Skip to content
Snippets Groups Projects
Commit 121baf69 authored by Joze RIHTARSIC's avatar Joze RIHTARSIC
Browse files

Upgrade libraries and tackle CVE-2024-23080

parent 43878d48
Branches
Tags
No related merge requests found
Pipeline #222053 failed
Show whitespace changes
Inline Side-by-side
owasp-false-positive-warnings.xml
+ 10
0
View file @ 121baf69
......@@ -15,6 +15,14 @@
</suppress>
<suppress>
<notes><![CDATA[
file name: spring-*-5.3.39.jar
CVE-2024-38820 - DataBinder is used to bind request parameters to JavaBean objects. The vulnerability is not exploitable by SMP usage of the library.
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.springframework/spring-.*?@.*$</packageUrl>
<cve>CVE-2024-38820</cve>
</suppress>
<suppress>
<notes><![CDATA[
file name: spring-web-5.3.*.jar
CVE-2016-1000027 - The data serialized by the application are from authenticated users and trusted
]]></notes>
......@@ -27,8 +35,10 @@
file name: smp.war: spring-core-5.3.31.jar
The data serialized by the application are from authenticated users and trusted
NOTE: the vendor's position is that untrusted data is not an intended use case. The product's behavior will not be changed because some users rely on deserialization of trusted data.
- CVE-2024-38820: see below the spring-*-5.3.39.jar for the same issue explanation
]]></notes>
<cve>CVE-2016-1000027</cve>
<cve>CVE-2024-38820</cve>
</suppress>
<suppress>
<notes><![CDATA[
......
pom.xml
+ 2
2
View file @ 121baf69
......@@ -95,7 +95,7 @@ See the Licence for the specific language governing permissions and limitations
<jaxb2-basics.version>1.11.1</jaxb2-basics.version>
<org.glassfish.jaxb.jaxb-runtime.version>2.3.9</org.glassfish.jaxb.jaxb-runtime.version>
<jakarta.xml.bind-api.version>2.3.3</jakarta.xml.bind-api.version>
<junit-jupiter.version>5.11.2</junit-jupiter.version>
<junit-jupiter.version>5.11.3</junit-jupiter.version>
<junit-platform-surefire-provider.version>1.3.2</junit-platform-surefire-provider.version>
<junitparams.version>1.1.1</junitparams.version>
<!-- Use logback 1.2.x because is the one used by springboot 5.7. Changing to 1.3+ will break springboot logging. -->
......@@ -109,7 +109,7 @@ See the Licence for the specific language governing permissions and limitations
<spring-modules-jakarta-commons.version>0.8</spring-modules-jakarta-commons.version>
<spring-boot.version>2.7.18</spring-boot.version>
<spring-boot.tomcat.version>9.0.96</spring-boot.tomcat.version>
<spring.security.version>5.8.14</spring.security.version>
<spring.security.version>5.8.15</spring.security.version>
<spring.version>5.3.39</spring.version>
<xmlunit.version>2.10.0</xmlunit.version>
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment

For further information about the platform and support, please see https://code.europa.eu/info/about