Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Address json-path CVE-2023-51074 #5643

Closed
3 tasks done
corneil opened this issue Jan 17, 2024 · 2 comments · Fixed by #5648
Closed
3 tasks done

Address json-path CVE-2023-51074 #5643

corneil opened this issue Jan 17, 2024 · 2 comments · Fixed by #5648
Assignees
@corneil
Milestone
2.11.3

Comments

@corneil
Copy link
Contributor

corneil commented Jan 17, 2024
edited
Loading

JsonPath version <= 2.8.0 has CVE-2023-51074 and the fix is yet to be released but should be soon.

When fix is available, update to version 2.9.0 and be sure to cover the following repos:

  • spring-cloud-dataflow
  • spring-cloud-deployer
  • scs-dataflow (tile)
@corneil corneil self-assigned this Jan 17, 2024
corneil added a commit to corneil/spring-cloud-dataflow that referenced this issue Jan 17, 2024
@corneil
Update json-path to 2.8.0
8dd0a3d 
Had to add entries to dependencyManagement sections because adding the version property wasn't changing all the versions. Presuming that some external dependencies includes 2.7.0 directly and not via a property and is encountered before boot dependencies.

Fixes spring-cloud#5643
@corneil corneil mentioned this issue Jan 17, 2024
Closed
@yeikel
Copy link

yeikel commented Jan 19, 2024

Have you considered using Dependabot? That way not only this but all other dependencies will be updated automatically

@onobc
Copy link
Contributor

onobc commented Jan 19, 2024

Hi @yeikel , yes we use dependabot. In this case, the fix is. not yet available so dependabot is not helpful.

@onobc onobc changed the title Update com.jayway.jsonpath:json-path to 2.8.0 Address json-path CVE-2023-51074 Jan 19, 2024
corneil added a commit to corneil/spring-cloud-dataflow that referenced this issue Jan 22, 2024
@corneil
Update json-path to 2.9.0
3dfa63b 
Had to add entries to dependencyManagement sections because adding the version property wasn't changing all the versions. Presuming that some external dependencies includes 2.7.0 directly and not via a property and is encountered before boot dependencies.

Fixes spring-cloud#5643
@corneil corneil mentioned this issue Jan 22, 2024
Merged
corneil added a commit to corneil/spring-cloud-dataflow that referenced this issue Jan 23, 2024
@corneil
Update json-path to 2.9.0
4a6863c 
Fixes spring-cloud#5643
corneil added a commit to corneil/spring-cloud-dataflow that referenced this issue Jan 23, 2024
@corneil
Update json-path to 2.9.0
0026a50 
Fixes spring-cloud#5643
onobc pushed a commit that referenced this issue Jan 23, 2024
@corneil
Update json-path to 2.9.0 (#5648)
4f92e36 
Fixes #5643
@corneil corneil added this to the 2.11.3 milestone May 17, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@corneil corneil

Labels
None yet
Projects
None yet
Milestone
2.11.3
3 participants
@corneil @yeikel @onobc