Details
-
Task
-
Resolution: Done
-
Neutral
-
None
-
BOM 5.7.27, BOM 6.2.35
-
None
-
-
Empty show more show less
-
Empty show more show less
-
Yes
Description
[ERROR] grpc-context-1.53.0.jar: CVE-2023-32731(7.5)
https://nvd.nist.gov/vuln/detail/CVE-2023-32731
magnolia-dx-core-demo-webapp-6.3-SNAPSHOT.war: grpc-context-1.27.2.jar (cpe:2.3:a:grpc:grpc:1.27.2:*:*:*:*:*:*:*) : CVE-2023-32732
https://nvd.nist.gov/vuln/detail/CVE-2023-32732
This looks like a false positive, as the issue actually concerns the C based gRPC library. Magnolia pulls in grpc-context which is the part of the Java flavour of gRPC and is not affected.
See https://github.com/grpc/grpc/releases/tag/v1.53.1
The library comes transitively via google-http-client:jar -> opencensus-api both at their latest version at the moment of writing.
[INFO] | +- info.magnolia:magnolia-module-mail:jar:5.6:compile [INFO] | | +- com.google.http-client:google-http-client:jar:1.43.2:compile [INFO] | | | +- io.opencensus:opencensus-api:jar:0.31.1:compile [INFO] | | | | \- io.grpc:grpc-context:jar:1.53.0:compile
Checklists
Acceptance criteria