[FOLIO-3646] mod-workflow: Upgrade to spring-module-core 1.1.2 fixing vulns Created: 21/Nov/22  Updated: 23/Nov/22  Resolved: 23/Nov/22

Status: Closed
Project: FOLIO
Components: None
Affects versions: None
Fix versions: None

Type: Bug Priority: TBD
Reporter: Julian Ladisch Assignee: William Welling
Resolution: Done Votes: 0
Labels: security
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original estimate: Not Specified

Sprint:
Development Team: Other dev
RCA Group: Related dependency upgrade

 Description   

Upgrade org.folio:spring-module-core from 1.1.1 to 1.1.2.

The spring-module-core upgrade indirectly upgrades jackson-databind from 2.13.2.1 to 2.14.0 fixing Denial of Service (DoS):
https://nvd.nist.gov/vuln/detail/CVE-2022-42004
https://nvd.nist.gov/vuln/detail/CVE-2022-42003

The spring-module-core upgrade indirectly upgrades org.postgresql:postgresql from 42.3.3 to 42.5.0 fixing SQL Injection:
https://nvd.nist.gov/vuln/detail/CVE-2022-31197

The spring-module-core upgrade indirectly upgrades spring-beans from 5.3.19 to 5.3.23 fixing Denial of Service (DoS):
https://nvd.nist.gov/vuln/detail/CVE-2022-22970

The spring-module-core upgrade indirectly upgrades spring-data-rest-webmvc from 3.6.4 to 3.7.5 fixing Information Exposure:
https://nvd.nist.gov/vuln/detail/CVE-2022-31679

The spring-module-core upgrade indirectly upgrades snakeyaml from1.29 to 1.33 fixing Denial of Service (DoS) and Stack-based Buffer Overflow:
https://nvd.nist.gov/vuln/detail/CVE-2022-25857
https://nvd.nist.gov/vuln/detail/CVE-2022-38749
https://nvd.nist.gov/vuln/detail/CVE-2022-38750
https://nvd.nist.gov/vuln/detail/CVE-2022-38751
https://nvd.nist.gov/vuln/detail/CVE-2022-38752
https://nvd.nist.gov/vuln/detail/CVE-2022-41854

The spring-module-core upgrade indirectly upgrades spring-messaging from 5.3.19 to
5.3.23 fixing Denial of Service (DoS):
https://nvd.nist.gov/vuln/detail/CVE-2022-22971

The spring-module-core upgrade indirectly upgrades kotlin-stdlib from 1.3.50 to 1.6.21 fixing Improper Locking and Information Exposure:
https://nvd.nist.gov/vuln/detail/CVE-2022-24329
https://nvd.nist.gov/vuln/detail/CVE-2020-29582

The spring-module-core upgrade indirectly upgrades tomcat-embed-core from 9.0.62 to 9.0.68 fixing HTTP Request Smuggling:
https://nvd.nist.gov/vuln/detail/CVE-2022-42252


Generated at Thu Feb 08 23:29:39 UTC 2024 using Jira 1001.0.0-SNAPSHOT#100246-sha1:7a5c50119eb0633d306e14180817ddef5e80c75d.