[MODCON-29] Upgrade spring-boot-starter-actuator and spring-kafka fixing vulns - FOLIO Issue Tracker

XML

Word

Printable

Details

Type: Bug
Status: Closed (View Workflow)
Priority: P2
Resolution: Done
Affects Version/s: None
Fix Version/s: 1.0.0
Labels:
- security
- security-reviewed

Template:
Sprint:
ACQ Sprint 164
Story Points:
1
Development Team:
Thunderjet
Release:
Poppy (R2 2023)
RCA Group:
Related dependency upgrade
Affected releases:

Poppy (R2 2023)

Description

Upgrade spring-boot-starter-actuator from 3.0.4 to 3.0.6. This indirectly upgrades spring-boot-actuator-autoconfigure from 3.0.4 to 3.0.6 fixing Access Restriction Bypass:

https://security.snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORKBOOT-5441321

Upgrade spring-kafka from 3.0.4 to 3.0.6.

Upgrading spring-kafka indirectly upgrades spring-expression from 6.0.6 to 6.0.8 fixing Allocation of Resources Without Limits or Throttling:

https://nvd.nist.gov/vuln/detail/CVE-2023-20861
https://nvd.nist.gov/vuln/detail/CVE-2023-20863

~~Upgrading spring-kafka indirectly~~ upgrades kafka-clients from 3.3.2 to 3.4.0 fixing Deserialization of Untrusted Data:

https://nvd.nist.gov/vuln/detail/CVE-2023-25194

TestRail: Results

Attachments

Activity

People

Assignee:: Adesh Singh

Reporter:: Julian Ladisch

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 26/Apr/23 9:35 PM

Updated:: 30/Apr/23 7:03 AM

Resolved:: 30/Apr/23 7:03 AM

Upgrade spring-boot-starter-actuator and spring-kafka fixing vulns