graphql-spring-boot icon indicating copy to clipboard operation
graphql-spring-boot copied to clipboard

Published 20 hours ago verified publisher icon graphql-java-kickstart

CVE-2022-42889 in latest version

Open jaydeepkhandelwal opened this issue 2 years ago • 3 comments

Describe the bug commons-text (>= 1.5 and <= 1.9) has been flagged by CVE-2022-42889. It affects graphql-spring-boot as its latest version still contains vulnerable version of commons-text (1.9).

To Reproduce https://nvd.nist.gov/vuln/detail/CVE-2022-42889

Expected behavior Upgrade commons-text to 1.10.0 or greater.

jaydeepkhandelwal avatar Nov 02 '22 19:11 jaydeepkhandelwal

When will dere be a bugfix release of this package that resolves this bug? Is there a realase in the works, or will this take a long time?

steam0 avatar Nov 21 '22 11:11 steam0

Looks like a fix has been made but a release hasn't been created here: https://github.com/graphql-java-kickstart/graphql-spring-boot/commit/69dade877d0d8afd422102e783a59e5a87d2c59e

It would be good to make point releases with this fix for older versions such as 12.0.0 so that a major upgrade doesn't need to take place.

aembleton avatar Nov 23 '22 10:11 aembleton

Just published release 14.1.0: https://github.com/graphql-java-kickstart/graphql-spring-boot/releases/tag/v14.1.0.

Will check if I can setup a pipeline to release a fix for 12.0.0. Although upgrading from v12.0.0 to the latest shouldn't really cause any major issues.

oliemansm avatar Nov 23 '22 11:11 oliemansm