deps.edn · 9474085ae1d30a2e7b749bf6661d99b777558927 · Engineering Digital Service / Metabase

2 years ago

Bump woodstox : CVE-2022-40151 (#26269) · 84df58aa

dpsutton authored 2 years ago

First seen in trivy report:
https://github.com/metabase/metabase/pull/26161/checks?check_run_id=9326286850

CVE:
https://avd.aquasec.com/nvd/cve-2022-40151

xstream: Xstream to serialise XML data was vulnerable to Denial of
Service attacks High
Package: com.fasterxml.woodstox:woodstox-core
Installed Version: 6.2.6
Vulnerability CVE-2022-40151
Severity: HIGH
Fixed Version: 5.4.0, 6.4.0

Bumping deps and comparing `clj -X:deps tree` shows the change only adds
the new dep top level and no new deps are brought in by the change.

```
❯ diff --unified deps deps-updated
--- deps	2022-11-07 08:43:21.000000000 -0600
+++ deps-updated	2022-11-07 08:49:56.000000000 -0600
@@ -9,6 +9,8 @@
   X org.slf4j/slf4j-api 1.7.25 :use-top
   X org.apache.logging.log4j/log4j-api 2.18.0 :use-top
   X org.apache.logging.log4j/log4j-core 2.18.0 :use-top
+com.fasterxml.woodstox/woodstox-core 6.4.0
+  . org.codehaus.woodstox/stax2-api 4.2.1
 joda-time/joda-time 2.10.13
 commons-codec/commons-codec 1.15
 weavejester/dependency 0.2.1
@@ -285,8 +287,7 @@
   . org.apache.santuario/xmlsec 2.3.0
     X org.slf4j/slf4j-api 1.7.32 :use-top
     X commons-codec/commons-codec 1.15 :use-top
-    . com.fasterxml.woodstox/woodstox-core 6.2.6
-      . org.codehaus.woodstox/stax2-api 4.2.1
+    X com.fasterxml.woodstox/woodstox-core 6.2.6 :use-top
     . jakarta.xml.bind/jakarta.xml.bind-api 2.3.3
       . jakarta.activation/jakarta.activation-api 1.2.2
   . org.opensaml/opensaml-xmlsec-api 3.4.6
```

Unverified

84df58aa

History

Bump woodstox : CVE-2022-40151 (#26269)

dpsutton authored 2 years ago

First seen in trivy report:
https://github.com/metabase/metabase/pull/26161/checks?check_run_id=9326286850

CVE:
https://avd.aquasec.com/nvd/cve-2022-40151

xstream: Xstream to serialise XML data was vulnerable to Denial of
Service attacks High
Package: com.fasterxml.woodstox:woodstox-core
Installed Version: 6.2.6
Vulnerability CVE-2022-40151
Severity: HIGH
Fixed Version: 5.4.0, 6.4.0

Bumping deps and comparing `clj -X:deps tree` shows the change only adds
the new dep top level and no new deps are brought in by the change.

```
❯ diff --unified deps deps-updated
--- deps	2022-11-07 08:43:21.000000000 -0600
+++ deps-updated	2022-11-07 08:49:56.000000000 -0600
@@ -9,6 +9,8 @@
   X org.slf4j/slf4j-api 1.7.25 :use-top
   X org.apache.logging.log4j/log4j-api 2.18.0 :use-top
   X org.apache.logging.log4j/log4j-core 2.18.0 :use-top
+com.fasterxml.woodstox/woodstox-core 6.4.0
+  . org.codehaus.woodstox/stax2-api 4.2.1
 joda-time/joda-time 2.10.13
 commons-codec/commons-codec 1.15
 weavejester/dependency 0.2.1
@@ -285,8 +287,7 @@
   . org.apache.santuario/xmlsec 2.3.0
     X org.slf4j/slf4j-api 1.7.32 :use-top
     X commons-codec/commons-codec 1.15 :use-top
-    . com.fasterxml.woodstox/woodstox-core 6.2.6
-      . org.codehaus.woodstox/stax2-api 4.2.1
+    X com.fasterxml.woodstox/woodstox-core 6.2.6 :use-top
     . jakarta.xml.bind/jakarta.xml.bind-api 2.3.3
       . jakarta.activation/jakarta.activation-api 1.2.2
   . org.opensaml/opensaml-xmlsec-api 3.4.6
```

Code owners

Assign users and groups as approvers for specific file changes. Learn more.