ApplicationInsights-Java
ApplicationInsights-Java copied to clipboard
CVE-2023-6378
Expected behavior
not to include shaded dependencies inside jar
Actual behavior
shaded dependency has a vulnerability and I cannot fix it
To Reproduce
Run trivy check and it will alert:
Java (jar)
Total: 3 (HIGH: 3, CRITICAL: 0)
┌─────────────────────────────────────────────────┬─────────────────────┬──────────┬────────┬───────────────────┬────────────────┬─────────────────────────────────────────────────────────────┐ │ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │ ├─────────────────────────────────────────────────┼─────────────────────┼──────────┼────────┼───────────────────┼────────────────┼─────────────────────────────────────────────────────────────┤ │ ch.qos.logback:logback-classic │ CVE-2023-6378 │ HIGH │ fixed │ 1.2.12 │ 1.3.12, 1.4.12 │ A serialization vulnerability in logback receiver component │ │ (applicationinsights-runtime-attach-3.4.11.jar) │ │ │ │ │ │ part of l ...... │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-6378 │ ├─────────────────────────────────────────────────┤ │ │ │ │ │ │ │ ch.qos.logback:logback-core │ │ │ │ │ │ │ │ (applicationinsights-runtime-attach-3.4.11.jar) │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ ├─────────────────────────────────────────────────┼─────────────────────┤ │ ├───────────────────┼────────────────┼─────────────────────────────────────────────────────────────┤ │ io.netty:netty-codec-http2 │ GHSA-xpw8-rcwv-8f8p │ │ │ 4.1.90.Final │ 4.1.100.Final │ io.netty:netty-codec-http2 vulnerable to HTTP/2 Rapid Reset │ │ (applicationinsights-runtime-attach-3.4.11.jar) │ │ │ │ │ │ Attack │ │ │ │ │ │ │ │ https://github.com/advisories/GHSA-xpw8-rcwv-8f8p │ └─────────────────────────────────────────────────┴─────────────────────┴──────────┴────────┴───────────────────┴────────────────┴─────────────────────────────────────────────────────────────┘
System information
Please provide the following information:
- SDK Version: 21
- OS type and version: everyone
- Application Server type and version (if applicable):
- Using spring-boot? doesn't matter
- Additional relevant libraries (with version, if applicable):
Logs
no need for logs
Screenshots
not applicable