Skip to content

Backend: Version Bumping #43

New issue
New issue
Open
Open
Backend: Version Bumping#43
@decause-gov

Description

@decause-gov
decause-gov
opened on Sep 1, 2023

Issue Report

Backend: Dependency Version Bumping

Expected behavior

Versions are updated to mitigate known vulnerabilities. Let's enable dependabot after this to stay ahead of future dep issues.

Actual behavior

Dependencies
The following packages are out of date and have reported vulnerabilities:

  1. maven:ca.uhn.hapi.fhir:org.hl7.fhir.convertors:5.6.68,
    maven:ca.uhn.hapi.fhir:org.hl7.fhir.validation:5.6.68,
    maven:ca.uhn.hapi.fhir:org.hl7.fhir.utilities:5.6.76,
    maven:ca.uhn.hapi.fhir:org.hl7.fhir.r5:5.6.68,
    maven:ca.uhn.hapi.fhir:org.hl7.fhir.r4b:5.6.68
    CVE-2023-24057
    ○ HL7 (Health Level 7) FHIR Core Libraries prior to 5.6.92 allow attackers to
    extract files into arbitrary directories via directory traversal from a crafted ZIP or
    TGZ archive (for a prepackaged terminology cache, NPM package, or
    comparison archive).
  2. maven:org.springframework.boot:spring-boot-autoconfigure:2.7.5
    CVE-2023-20883
    ○ In org.springframework.boot:spring-boot-autoconfigure versions through 2.5.14,
    2.6.0 through 2.6.14, 2.7.0 through 2.7.11, and 3.0.0 through 3.0.6 and older
    unsupported versions, there is potential for a denial-of-service (DoS) attack if
    Spring MVC is used together with a reverse proxy cache.
  3. maven:org.yaml:snakeyaml:1.30
    ○ Several CVE alerts; Please consider upgrading to version 2.0.
  4. maven:org.springframework:spring-webmvc:5.3.23,
    maven:org.springframework:spring-web:5.3.23,
    maven:org.springframework:spring-expression:5.3.23
    ○ There are several CVE alerts for spring framework; Please consider updating to
    version 6.0.9
  5. maven:com.fasterxml.woodstox:woodstox-core:6.2.7
    ○ There are several CVE alerts for woodstox; Please consider updating to 6.4.0.
  6. maven:net.minidev:json-smart:2.4.7
    CVE-2023-1370
    ○ Json-smart is a performance-focused, JSON processor lib. When reaching a ‘[‘ or
    ‘{‘ character in the JSON input, the code parses an array or an object
    respectively. It was discovered that the code does not have any limit to the
    nesting of such arrays or objects in versions prior to 2.4.9. Since the parsing of
    Java
    nested arrays and objects is done recursively, nesting too many of them can
    cause a stack exhaustion (stack overflow) and crash the software

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions