Merge pull request #109 from catenax-ng/security-fix

fix: CVE-2024-22259 and CVE-2024-22257
eclipse-tractusx · Apr 2, 2024 · c78da20 · c78da20
2 parents 34c69e4 + efed28d
commit c78da20
Show file tree

Hide file tree

Showing 3 changed files with 17 additions and 4 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -6,6 +6,9 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/)
 
 ## [Unreleased]
 
+### Fixed
+- Fixed the CVE-2024-22259 and CVE-2024-22257 security issue
+
 ## [2.1.10] - 2024-02-28
 ### Changed
 - Updated Spring Boot to 3.2.3 to fix CVE-2024-22234 and CVE-2024-22243

diff --git a/DEPENDENCIES b/DEPENDENCIES
@@ -89,13 +89,13 @@ maven/mavencentral/org.springframework.boot/spring-boot-starter-validation/3.2.3
 maven/mavencentral/org.springframework.boot/spring-boot-starter-web/3.2.3, Apache-2.0, approved, #11916
 maven/mavencentral/org.springframework.boot/spring-boot-starter/3.2.3, Apache-2.0, approved, #11935
 maven/mavencentral/org.springframework.boot/spring-boot/3.2.3, Apache-2.0, approved, #11752
-maven/mavencentral/org.springframework.cloud/spring-cloud-commons/4.1.0, Apache-2.0, approved, clearlydefined
-maven/mavencentral/org.springframework.cloud/spring-cloud-context/4.1.0, Apache-2.0, approved, clearlydefined
+maven/mavencentral/org.springframework.cloud/spring-cloud-commons/4.1.0, Apache-2.0, approved, #13495
+maven/mavencentral/org.springframework.cloud/spring-cloud-context/4.1.0, Apache-2.0, approved, #13494
 maven/mavencentral/org.springframework.cloud/spring-cloud-openfeign-core/4.1.0, Apache-2.0, approved, clearlydefined
 maven/mavencentral/org.springframework.cloud/spring-cloud-starter-openfeign/4.1.0, Apache-2.0, approved, clearlydefined
 maven/mavencentral/org.springframework.cloud/spring-cloud-starter/4.1.0, Apache-2.0, approved, clearlydefined
 maven/mavencentral/org.springframework.security/spring-security-config/6.2.2, Apache-2.0, approved, #11896
-maven/mavencentral/org.springframework.security/spring-security-core/6.2.2, Apache-2.0, approved, #11904
+maven/mavencentral/org.springframework.security/spring-security-core/6.2.3, Apache-2.0, approved, #11904
 maven/mavencentral/org.springframework.security/spring-security-crypto/6.2.2, Apache-2.0 AND ISC, approved, #11908
 maven/mavencentral/org.springframework.security/spring-security-oauth2-core/6.2.2, Apache-2.0, approved, #11925
 maven/mavencentral/org.springframework.security/spring-security-oauth2-jose/6.2.2, Apache-2.0, approved, #11893
@@ -108,7 +108,7 @@ maven/mavencentral/org.springframework/spring-context/6.1.4, Apache-2.0, approve
 maven/mavencentral/org.springframework/spring-core/6.1.4, Apache-2.0 AND BSD-3-Clause, approved, #11750
 maven/mavencentral/org.springframework/spring-expression/6.1.4, Apache-2.0, approved, #11747
 maven/mavencentral/org.springframework/spring-jcl/6.1.4, Apache-2.0, approved, #11749
-maven/mavencentral/org.springframework/spring-web/6.1.4, Apache-2.0, approved, #11748
+maven/mavencentral/org.springframework/spring-web/6.1.5, Apache-2.0, approved, #11748
 maven/mavencentral/org.springframework/spring-webmvc/6.1.4, Apache-2.0, approved, #11879
 maven/mavencentral/org.web3j/abi/5.0.0, Apache-2.0, approved, clearlydefined
 maven/mavencentral/org.web3j/crypto/5.0.0, Apache-2.0, approved, clearlydefined

diff --git a/pom.xml b/pom.xml
@@ -161,6 +161,16 @@
                 <artifactId>json-path</artifactId>
                 <version>2.9.0</version>
             </dependency>
+            <dependency>
+                <groupId>org.springframework</groupId>
+                <artifactId>spring-web</artifactId>
+                <version>6.1.5</version>
+            </dependency>
+            <dependency>
+                <groupId>org.springframework.security</groupId>
+                <artifactId>spring-security-core</artifactId>
+                <version>6.2.3</version>
+            </dependency>
         </dependencies>
     </dependencyManagement>