[FOLIO-3457] spring-module-core: h2database:h2 Remote Code Execution (CVE-2022-23221) Created: 24/Mar/22  Updated: 08/Apr/22  Resolved: 08/Apr/22

Status: Closed
Project: FOLIO
Components: None
Affects versions: None
Fix versions: None

Type: Bug Priority: P3
Reporter: Julian Ladisch Assignee: William Welling
Resolution: Done Votes: 0
Labels: security, security-reviewed, springway
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original estimate: Not Specified

Issue links:
Relates
relates to FOLIO-3456 Test coverage for spring-module-core,... Open
relates to FOLIO-3389 Upgrade spring-module-core to Spring ... Closed
Sprint:
Development Team: None
RCA Group: TBD

 Description   

https://github.com/folio-org/spring-module-core uses com.h2database:h2@1.4.200: [ https://github.com/folio-org/spring-module-core/blob/main/domain/pom.xml#L44-L47|https://github.com/folio-org/spring-module-core/blob/main/domain/pom.xml#L44-L47]

H2 before 2.1.210 allows remote attackers to execute arbitrary code: https://nvd.nist.gov/vuln/detail/CVE-2022-23221



 Comments   
Comment by Ann-Marie Breaux (Inactive) [ 30/Mar/22 ]

Hi Julian Ladisch or William Welling Which dev team should this be assigned to, and does it need to be a Lotus bugfix or can it wait for Morning Glory?

Generated at Thu Feb 08 23:28:17 UTC 2024 using Jira 1001.0.0-SNAPSHOT#100246-sha1:7a5c50119eb0633d306e14180817ddef5e80c75d.