apollo-common和apollo-biz有一些安全漏洞 · apolloconfig/apollo#5386

(3 comments) (0 reactions) (0 assignees)Java (29,769 stars) (10,177 forks)batch import

help wanted

Description

你好，我引入apollo-common和apollo-biz2.4.0版本，发现有一些安全漏洞，请问有计划进行升级吗？ apollo-common H2 Database Engine:2.1.214 (CVE-2022-45868 (BDSA-2022-3649)) Nimbus-JOSE-JWT:9.22(CVE-2023-52428 (BDSA-2023-3666)) PostgreSQL JDBC Driver (pgjdbc):42.3.8(CVE-2024-1597 (BDSA-2024-0368)) SnakeYAML:1.33(CVE-2022-1471 (BDSA-2022-3447)) Spring Boot:2.7.18(BDSA-2024-5686 (CVE-2024-38807)) Spring Framework:5.3.39(CVE-2016-1000027) Spring Security:5.7.11(BDSA-2024-0647 (CVE-2024-22257)、BDSA-2024-7762)

apollo-biz Apache Commons JXPath:1.3(CVE-2022-40159 (BDSA-2022-3402)) Apache ZooKeeper:3.9.2(BDSA-2024-8266) Jettison - Json Stax implementation:1.4.0(CVE-2022-40149 (BDSA-2022-3277)、CVE-2022-40150 (BDSA-2022-3278)、CVE-2022-45685 (BDSA-2022-3714)、CVE-2022-45693 (BDSA-2022-3715)、CVE-2023-1436 (BDSA-2023-0994)) Woodstox：6.2.1（CVE-2022-40152 (BDSA-2022-2582)）

Contributor guide

Tech stack: java
Domain: backendsecurity
Issue type: security
Difficulty: 3
Estimated time: 1-2 days
Activity status: needs maintainer response
Clarity: clear
Prerequisites: JavaApache Mavendependency management
Newbie friendliness: 40
Research direction: Review the issue comments to see if maintainers have responded about upgrade plans. If not, research the latest patched versions of each listed dependency (H2, Nimbus JOSE JWT, PostgreSQL JDBC, SnakeYAML, Spring Boot, Spring Framework, Spring Security, Apache Commons JXPath, ZooKeeper, Jettison, Woodstox). Create a branch that upgrades these dependencies in the Apollo project's pom.xml files, run the test suite, and open a pull request referencing this issue.