575075 – Dependency vulnerabilities in MicroProfile sandbox repository

Bug 575075 - Dependency vulnerabilities in MicroProfile sandbox repository

Summary: Dependency vulnerabilities in MicroProfile sandbox repository

Status:	NEW

Alias:	None

Product:	Microprofile
Classification:	Technology
Component:	General (show other bugs)
Version:	unspecified
Hardware:	PC Linux

Importance:	P3 normal
Target Milestone:	---
Assignee:	Project inbox
QA Contact:

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2021-07-27 11:11 EDT by Wayne Beaton
Modified:	2021-07-27 11:11 EDT (History)
CC List:	0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Wayne Beaton

2021-07-27 11:11:10 EDT

Dependabot has reported the following. 

Maybe consider configuring Dependabot to create PRs [1].

eclipse / microprofile-sandbox
Known security vulnerabilities detected

Dependency
junit:junit	
Version
>= 4.7 < 4.13.1	
Upgrade to
~> 4.13.1
Defined in
pom.xml	
Suggested update
#81
Vulnerabilities
CVE-2020-15250 Moderate severity

Dependency
commons-io:commons-io	
Version
< 2.7	
Upgrade to
~> 2.7
Defined in
pom.xml	
Suggested update
#83
Vulnerabilities
CVE-2021-29425 Moderate severity

Dependency
org.jboss.resteasy:resteasy-client-microprofile	
Version
<= 4.5.6.Final	
Upgrade to
~> 4.5.7.Final
Defined in
pom.xml	
Suggested update
#84
Vulnerabilities
CVE-2020-25633 Moderate severity

Dependency
org.hibernate.validator:hibernate-validator	
Version
>= 6.1.0.Final <= 6.1.4.Final	
Upgrade to
~> 6.1.5.Final
Defined in
pom.xml	
Suggested update
#85
Vulnerabilities
CVE-2020-10693 Moderate severity

[1] https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/enabling-and-disabling-version-updates