keycloak-config-cli icon indicating copy to clipboard operation
keycloak-config-cli copied to clipboard

Published 20 hours ago verified publisher icon adorsys

Update dependencies to fix critical and high severity vulnerabilities

Open ic2hrmk opened this issue 2 years ago • 1 comments

Current Behavior

Hi,

There are dependencies imported with High to Critical severity vulnerabilities. Wouldn't you mind bumping its versions?

  • CVE-2022-1471 [CRITICAL], org.yaml_sankeyaml@1.30
  • CVE-2022-25857 [HIGH], org.yaml_sankeyaml@1.30
  • CVE-2022-42003 [HIGH], com.fasterxml.jackson.core_jackson-databind@2.13.4

Expected Behavior

Recommended versions:

  • org.yaml_sankeyaml@1.31
  • com.fasterxml.jackson.core_jackson-databind@2.14.0

Steps To Reproduce

No response

Environment

  • keycloak-config-cli Version: v5.5.0
  • Java Version: 11

Anything else?

No response

ic2hrmk avatar Jan 05 '23 15:01 ic2hrmk

To give a bit more context on this, CVE-2022-1471 actually requires org.yaml_sankeyaml@2.

A couple of new vulnerabilities are also shown when running Trivy on it, CVE-2023-20861 and CVE-2023-20863. These 2 are related to Spring core and should be fixed updating it to 5.3.27.

Could you give more information on whether these vulnerabilities affect the CLI and if there is a plan to address them?

FraPazGal avatar May 23 '23 16:05 FraPazGal