[MODSER-10] Upgrade Grails from 5 to 6 for Quesnelia Created: 15/Oct/23 Updated: 25/Jan/24 |
|
| Status: | Open |
| Project: | mod-serials-management |
| Components: | None |
| Affects versions: | None |
| Fix versions: | None |
| Type: | Task | Priority: | P2 |
| Reporter: | Julian Ladisch | Assignee: | Owen Stephens |
| Resolution: | Unresolved | Votes: | 0 |
| Labels: | security, security-reviewed | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original estimate: | Not Specified | ||
| Issue links: |
|
||||||||
| Sprint: | |||||||||
| Development Team: | K-Int | ||||||||
| Release: | Quesnelia (R1 2024) | ||||||||
| RCA Group: | Related dependency upgrade | ||||||||
| Description |
|
Grails 6 has been released on July 25, 2023: https://grails.org/blog/2023-07-25-introducing-grails-6.html Grails 5 dependencies (including grails-web-testing-support) come with several security vulnerabities: org.springframework:spring-webmvc@5.3.19 - Improper Access Control - https://nvd.nist.gov/vuln/detail/CVE-2023-20860 org.grails:grails-databinding@5.1.8 - Arbitrary Code Execution - https://nvd.nist.gov/vuln/detail/CVE-2022-35912 org.yaml:snakeyaml@1.33 - Arbitrary Code Execution - https://nvd.nist.gov/vuln/detail/CVE-2022-1471 - https://folio-org.atlassian.net/wiki/display/SEC/SnakeYaml+SafeConstructor org.springframework:spring-expression@5.3.24 - Allocation of Resources Without Limits or Throttling - https://nvd.nist.gov/vuln/detail/CVE-2023-20863 , https://www.cve.org/CVERecord?id=CVE-2023-20861 org.springframework.security:spring-security-web@5.8.1 - Session Fixation - https://nvd.nist.gov/vuln/detail/CVE-2023-20862
|