[MODSER-10] Upgrade Grails from 5 to 6 for Quesnelia Created: 15/Oct/23  Updated: 25/Jan/24

Status: Open
Project: mod-serials-management
Components: None
Affects versions: None
Fix versions: None

Type: Task Priority: P2
Reporter: Julian Ladisch Assignee: Owen Stephens
Resolution: Unresolved Votes: 0
Labels: security, security-reviewed
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original estimate: Not Specified

Issue links:
Defines
defines SECURITY-56 CVE-2023-20861. spring-web - Analysis... In Progress
Sprint:
Development Team: K-Int
Release: Quesnelia (R1 2024)
RCA Group: Related dependency upgrade

 Description   

Grails 6 has been released on July 25, 2023: https://grails.org/blog/2023-07-25-introducing-grails-6.html

Grails 5 dependencies (including grails-web-testing-support) come with several security vulnerabities:

org.springframework:spring-webmvc@5.3.19 - Improper Access Control - https://nvd.nist.gov/vuln/detail/CVE-2023-20860

org.grails:grails-databinding@5.1.8 - Arbitrary Code Execution - https://nvd.nist.gov/vuln/detail/CVE-2022-35912

org.yaml:snakeyaml@1.33 - Arbitrary Code Execution - https://nvd.nist.gov/vuln/detail/CVE-2022-1471 - https://folio-org.atlassian.net/wiki/display/SEC/SnakeYaml+SafeConstructor

org.springframework:spring-expression@5.3.24 - Allocation of Resources Without Limits or Throttling - https://nvd.nist.gov/vuln/detail/CVE-2023-20863 , https://www.cve.org/CVERecord?id=CVE-2023-20861

org.springframework.security:spring-security-web@5.8.1 - Session Fixation - https://nvd.nist.gov/vuln/detail/CVE-2023-20862
 

 

 
 
 

 


Generated at Thu Feb 08 22:31:00 UTC 2024 using Jira 1001.0.0-SNAPSHOT#100246-sha1:7a5c50119eb0633d306e14180817ddef5e80c75d.