-
Task
-
Resolution: Not an issue
-
Neutral
-
None
-
BOM 6.2.41
-
None
-
-
Empty show more show less
-
Empty show more show less
grpc-api-1.59.0.jar and
grpc-context-1.59.0.jar: CVE-2023-44487
Afffects till 1.59.2 and Magnolia 6.2.41 uses grpc-api-1.59.0
Dependency tree:
[INFO] --- dependency:3.6.1:tree (default-cli) @ magnolia-dx-core-webapp --- [INFO] info.magnolia.dx:magnolia-dx-core-webapp:war:6.2-SNAPSHOT [INFO] \- info.magnolia.bundle:magnolia-community-webapp:pom:6.2-SNAPSHOT:compile [INFO] \- info.magnolia:magnolia-module-mail:jar:5.6.2:compile [INFO] \- com.google.http-client:google-http-client:jar:1.43.3:compile [INFO] \- io.opencensus:opencensus-api:jar:0.31.1:compile [INFO] \- io.grpc:grpc-context:jar:1.59.0:compile [INFO] \- io.grpc:grpc-api:jar:1.59.0:runtime
Dev notes:
The allegedly vulnerable library comes transitively via google-http-client which is already at its latest stable version at the time writing.
This is a false positive: gRPC comes in different flavours and the one affected is the Go language implementation whereas Magnolia uses the Java implementation.
See also https://github.com/grpc/grpc-java/issues/10726#issuecomment-1845628563
Acceptance criteria