[FOLIO-3458] spring-module-core: postgresql Remote Code Execution (CVE-2022-21724) Created: 24/Mar/22 Updated: 08/Apr/22 Resolved: 08/Apr/22 |
|
| Status: | Closed |
| Project: | FOLIO |
| Components: | None |
| Affects versions: | None |
| Fix versions: | None |
| Type: | Bug | Priority: | P3 |
| Reporter: | Julian Ladisch | Assignee: | William Welling |
| Resolution: | Done | Votes: | 0 |
| Labels: | security, security-reviewed, springway | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original estimate: | Not Specified | ||
| Issue links: |
|
||||||||||||
| Sprint: | |||||||||||||
| Development Team: | None | ||||||||||||
| RCA Group: | TBD | ||||||||||||
| Description |
|
https://github.com/folio-org/spring-module-core uses org.postgresql:postgresql@42.2.23 JDBC driver: https://github.com/folio-org/spring-module-core/blob/main/domain/pom.xml#L49-L52 org.postgresql:postgresql version before 42.2.25 and before 42.3.2 are vulnerable to Remote Code Execution (RCE) when using certain plugin features: https://nvd.nist.gov/vuln/detail/CVE-2022-21724 |
| Comments |
| Comment by Ann-Marie Breaux (Inactive) [ 30/Mar/22 ] |
|
Hi Julian Ladisch or William Welling Which dev team should this be assigned to, and does it need to be a Lotus bugfix or can it wait for Morning Glory? |