firebase-admin-java icon indicating copy to clipboard operation
firebase-admin-java copied to clipboard

Published 20 hours ago verified publisher icon firebase

v9.2.0 Provides transitive vulnerable dependency maven:com.google.guava:guava:31.1-jre

Open hmzgtl16 opened this issue 1 year ago • 6 comments

CVE-2023-2976 7.1 Files or Directories Accessible to External Parties vulnerability with High severity foun

hmzgtl16 avatar Dec 29 '23 15:12 hmzgtl16

I couldn't figure out how to label this issue, so I've labeled it for a human to triage. Hang tight.

google-oss-bot avatar Dec 29 '23 15:12 google-oss-bot

Does anyone know when it will be fixed?

Malnen avatar Feb 08 '24 12:02 Malnen

UPDATE: There is another in v9.2.0 : CVE-2024-29025 due from io.netty:netty-codec-http 4.1.107.Final

Chikouni avatar Mar 29 '24 11:03 Chikouni

While we wait for this to be resolved, you can override Guava from Firebase Admin SDK with a version that does not have a breaking change.

Screenshot 2024-04-16 at 16 17 45

cybersokari avatar Apr 16 '24 15:04 cybersokari

Overriding transitive deps might be dangerous, and should be avoided :-( Any news on that ?

jedjebari avatar Apr 23 '24 08:04 jedjebari

https://www.cnbc.com/2024/04/23/google-search-boss-raghavan-warns-employees-of-new-operating-reality.html

Maybe other bosses can take a hint from their colleague.

yssoe avatar Apr 26 '24 12:04 yssoe

Thanks folks, this should be now fixed in the latest release (v9.30)

lahirumaramba avatar May 21 '24 18:05 lahirumaramba

Thanks folks, this should be now fixed in the latest release (v9.30)

Thanks for the update! But I believe that should read v9.3.0

AndyCodez avatar May 23 '24 15:05 AndyCodez