You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@eventmesh.apache.org by GitBox <gi...@apache.org> on 2022/04/06 02:51:03 UTC

[GitHub] [incubator-eventmesh] xwm1992 opened a new issue, #823: [Bug] upgrade spring libs because current version brings in jars with CVEs

xwm1992 opened a new issue, #823:
URL: https://github.com/apache/incubator-eventmesh/issues/823

   ### Search before asking
   
   - [X] I had searched in the [issues](https://github.com/apache/eventmesh/issues?q=is%3Aissue) and found no similar issues.
   
   
   ### Environment
   
   Window
   
   ### EventMesh version
   
   master
   
   ### What happened
   
   A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.
   
   https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22965
   
   ### How to reproduce
   
   N/A
   
   ### Debug logs
   
   _No response_
   
   ### Are you willing to submit PR?
   
   - [ ] Yes I am willing to submit a PR!


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@eventmesh.apache.org.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@eventmesh.apache.org
For additional commands, e-mail: dev-help@eventmesh.apache.org

[GitHub] [incubator-eventmesh] xwm1992 closed issue #823: [Bug] upgrade spring libs because current version brings in jars with CVEs

Posted by GitBox <gi...@apache.org>.
xwm1992 closed issue #823: [Bug] upgrade spring libs because current version brings in jars with CVEs
URL: https://github.com/apache/incubator-eventmesh/issues/823


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@eventmesh.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@eventmesh.apache.org
For additional commands, e-mail: dev-help@eventmesh.apache.org