easyexcel icon indicating copy to clipboard operation
easyexcel copied to clipboard
verified publisher icon alibaba

IDEA提示严重风险 CVE-2024-26308 与 CVE-2024-25710

Open treebreath opened this issue 1 year ago • 5 comments

建议先去看文档

快速开始常见问题

触发场景描述

依赖代码,

        <dependency>
            <groupId>com.alibaba</groupId>
            <artifactId>easyexcel</artifactId>
        </dependency>

使用的版本是4.0.3

idea高亮提示风险

image ``` Provides transitive vulnerable dependency maven:org.apache.commons:commons-compress:1.25.0 CVE-2024-26308 7.5 Allocation of Resources Without Limits or Throttling vulnerability with High severity found CVE-2024-25710 5.5 Loop with Unreachable Exit Condition ("Infinite Loop") vulnerability with Medium severity found ``` 如果使用的是3.3.3版本,则有5个风险提示

treebreath avatar Sep 27 '24 09:09 treebreath

we have a big update about the 4.0.x version. So if you mind about this info, I strongly suggest updating easyexcel to 4.0.x.

psxjoy avatar Sep 29 '24 01:09 psxjoy

AFAIK,version 3.x.x is no longer supported unless there is a major bug.

psxjoy avatar Sep 29 '24 01:09 psxjoy

Up to version 4.0.3, this vulnerability in commons-compress has not been addressed. You can try excluding it and manually adding the dependency yourself. In our tests, this approach hasn’t caused any issues so far

<dependency>
    <groupId>com.alibaba</groupId>
    <artifactId>easyexcel</artifactId>
    <version>x.x.x</version>
    <exclusions>
        <exclusion>
            <groupId>org.apache.commons</groupId>
            <artifactId>commons-compress</artifactId>
        </exclusion>
    </exclusions>
</dependency>
<dependency>
    <groupId>org.apache.commons</groupId>
    <artifactId>commons-compress</artifactId>
    <version>1.26.1</version>
</dependency>

Allamss avatar Sep 30 '24 03:09 Allamss

we have a big update about the 4.0.x version. So if you mind about this info, I strongly suggest updating easyexcel to 4.0.x.

Hi, I am using version 4.0.3, it hints two transitive vulnerable dependency maven:org.apache.commons:commons-compress:1.25.0

https://github.com/advisories/GHSA-4265-ccf5-phj5 7.5 Allocation of Resources Without Limits or Throttling vulnerability with High severity found https://github.com/advisories/GHSA-4g9r-vxhx-9pgx 5.5 Loop with Unreachable Exit Condition ("Infinite Loop") vulnerability with Medium severity found `

I just mean if I use version3.3.3 it hints five transitive vulnerable dependency. So the version4.x still produce 2 left security risk

treebreath avatar Oct 01 '24 03:10 treebreath

I think @Allamss 's suggestion is a good idea.We will fix these later.

psxjoy avatar Oct 08 '24 01:10 psxjoy