ApplicationInsights-Java icon indicating copy to clipboard operation
ApplicationInsights-Java copied to clipboard

Published 20 hours ago verified publisher icon microsoft

CVE-2023-6378

Open dreamglobe opened this issue 7 months ago • 10 comments

Expected behavior

not to include shaded dependencies inside jar

Actual behavior

shaded dependency has a vulnerability and I cannot fix it

To Reproduce

Run trivy check and it will alert:

Java (jar)

Total: 3 (HIGH: 3, CRITICAL: 0)

┌─────────────────────────────────────────────────┬─────────────────────┬──────────┬────────┬───────────────────┬────────────────┬─────────────────────────────────────────────────────────────┐ │ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │ ├─────────────────────────────────────────────────┼─────────────────────┼──────────┼────────┼───────────────────┼────────────────┼─────────────────────────────────────────────────────────────┤ │ ch.qos.logback:logback-classic │ CVE-2023-6378 │ HIGH │ fixed │ 1.2.12 │ 1.3.12, 1.4.12 │ A serialization vulnerability in logback receiver component │ │ (applicationinsights-runtime-attach-3.4.11.jar) │ │ │ │ │ │ part of l ...... │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-6378 │ ├─────────────────────────────────────────────────┤ │ │ │ │ │ │ │ ch.qos.logback:logback-core │ │ │ │ │ │ │ │ (applicationinsights-runtime-attach-3.4.11.jar) │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ ├─────────────────────────────────────────────────┼─────────────────────┤ │ ├───────────────────┼────────────────┼─────────────────────────────────────────────────────────────┤ │ io.netty:netty-codec-http2 │ GHSA-xpw8-rcwv-8f8p │ │ │ 4.1.90.Final │ 4.1.100.Final │ io.netty:netty-codec-http2 vulnerable to HTTP/2 Rapid Reset │ │ (applicationinsights-runtime-attach-3.4.11.jar) │ │ │ │ │ │ Attack │ │ │ │ │ │ │ │ https://github.com/advisories/GHSA-xpw8-rcwv-8f8p │ └─────────────────────────────────────────────────┴─────────────────────┴──────────┴────────┴───────────────────┴────────────────┴─────────────────────────────────────────────────────────────┘

System information

Please provide the following information:

  • SDK Version: 21
  • OS type and version: everyone
  • Application Server type and version (if applicable):
  • Using spring-boot? doesn't matter
  • Additional relevant libraries (with version, if applicable):

Logs

no need for logs

Screenshots

not applicable

dreamglobe avatar Nov 30 '23 14:11 dreamglobe