SwayDB icon indicating copy to clipboard operation
SwayDB copied to clipboard

Published 20 hours ago verified publisher icon simerplaha

CVE-2022-36944 - Scala vulnerability with 9.8 score

Open crea1 opened this issue 2 years ago • 2 comments

Hi 👋

Currently our dependency checks started failing on SwayDB due to the scala libraries related to this CVE https://nvd.nist.gov/vuln/detail/CVE-2022-36944

[ERROR] scala-library-2.13.8.jar: CVE-2022-36944(9.8)
[ERROR] scala-reflect-2.13.0.jar: CVE-2022-36944(9.8)

We are using

    <dependency>
      <groupId>io.swaydb</groupId>
      <artifactId>java_2.13</artifactId>
      <version>0.16.2</version>
    </dependency>

Seems that these are fixed in scala-library 2.13.9, latest being 2.13.10 as of writing.

Would be super nice to get patch on this.

Thank you for SwayDB ❤️

Kind regards, Marius

crea1 avatar Oct 24 '22 07:10 crea1

Hey! Thank you for reporting this. This is something that should definitely be sorted out.

Just FYI, SwayDB's last release was 2 years ago and is over 400 commits behind new updates.

I have not been able to figure out how to continue SwayDB's development. Time being the biggest factor. So I'm not sure when this issue will be resolved.

Thanks heaps for reporting this.

simerplaha avatar Oct 24 '22 12:10 simerplaha

Thank you for replying! I totally understand your situation. But at least now you are aware should you some day find the extra time.

Cheers!

crea1 avatar Oct 26 '22 07:10 crea1