[FOLIO-3457] spring-module-core: h2database:h2 Remote Code Execution (CVE-2022-23221) Created: 24/Mar/22 Updated: 08/Apr/22 Resolved: 08/Apr/22 |
|
| Status: | Closed |
| Project: | FOLIO |
| Components: | None |
| Affects versions: | None |
| Fix versions: | None |
| Type: | Bug | Priority: | P3 |
| Reporter: | Julian Ladisch | Assignee: | William Welling |
| Resolution: | Done | Votes: | 0 |
| Labels: | security, security-reviewed, springway | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original estimate: | Not Specified | ||
| Issue links: |
|
||||||||||||
| Sprint: | |||||||||||||
| Development Team: | None | ||||||||||||
| RCA Group: | TBD | ||||||||||||
| Description |
|
https://github.com/folio-org/spring-module-core uses com.h2database:h2@1.4.200: [ https://github.com/folio-org/spring-module-core/blob/main/domain/pom.xml#L44-L47|https://github.com/folio-org/spring-module-core/blob/main/domain/pom.xml#L44-L47] H2 before 2.1.210 allows remote attackers to execute arbitrary code: https://nvd.nist.gov/vuln/detail/CVE-2022-23221 |
| Comments |
| Comment by Ann-Marie Breaux (Inactive) [ 30/Mar/22 ] |
|
Hi Julian Ladisch or William Welling Which dev team should this be assigned to, and does it need to be a Lotus bugfix or can it wait for Morning Glory? |