Uploaded image for project: 'Build'
  1. Build
  2. BUILD-1203

Dismiss CVE about gRPC 1.59.0

XMLWordPrintable

    • Icon: Task Task
    • Resolution: Not an issue
    • Icon: Neutral Neutral
    • None
    • BOM 6.2.41
    • None

      grpc-api-1.59.0.jar and
      grpc-context-1.59.0.jar: CVE-2023-44487
       

      Afffects till 1.59.2 and Magnolia 6.2.41 uses grpc-api-1.59.0

      Dependency tree:

      [INFO] --- dependency:3.6.1:tree (default-cli) @ magnolia-dx-core-webapp ---
[INFO] info.magnolia.dx:magnolia-dx-core-webapp:war:6.2-SNAPSHOT
[INFO] \- info.magnolia.bundle:magnolia-community-webapp:pom:6.2-SNAPSHOT:compile
[INFO]    \- info.magnolia:magnolia-module-mail:jar:5.6.2:compile
[INFO]       \- com.google.http-client:google-http-client:jar:1.43.3:compile
[INFO]          \- io.opencensus:opencensus-api:jar:0.31.1:compile
[INFO]             \- io.grpc:grpc-context:jar:1.59.0:compile
[INFO]                \- io.grpc:grpc-api:jar:1.59.0:runtime

       

      Dev notes:

      The allegedly vulnerable library comes transitively via google-http-client which is already at its latest stable version at the time writing.

      This is a false positive: gRPC comes in different flavours and the one affected is the Go language implementation whereas Magnolia uses the Java implementation.
      See also https://github.com/grpc/grpc-java/issues/10726#issuecomment-1845628563

        Acceptance criteria

              fgrilli Federico Grilli
              ccantalapiedra Carlos Cantalapiedra
              Foundation
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved:
                Work Started:

                  Task DoR