Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Snyk: High] XML External Entity (XXE) Injection (Due 07/10/2020) #4408

Closed
1 task
hcaofec opened this issue Jun 10, 2020 · 1 comment · Fixed by #4430
Closed
1 task

[Snyk: High] XML External Entity (XXE) Injection (Due 07/10/2020) #4408

hcaofec opened this issue Jun 10, 2020 · 1 comment · Fixed by #4430
Assignees
@jason-upchurch
Labels
Security: high Remediate within 30 days
Milestone
Sprint 12.6

Comments

@hcaofec
Copy link
Contributor

hcaofec commented Jun 10, 2020
edited by jason-upchurch

Summary

High severity vulnerability found
Description:

XML External Entity (XXE) Injection
Vulnerable module: org.postgresql:postgresql
Introduced through: org.flywaydb:flyway-commandline@5.2.4
Exploit maturity: No known exploit
Detailed paths
Introduced through: project@0.0.0 › org.flywaydb:flyway-commandline@5.2.4 › org.postgresql:postgresql@42.2.5.jre6

More information: https://app.snyk.io/vuln/SNYK-JAVA-ORGPOSTGRESQL-571481

Technical considerations

  • this vulnerability is found in build.gradle
@hcaofec hcaofec added the Security: high Remediate within 30 days label Jun 10, 2020
@hcaofec hcaofec changed the title Snyk: High] XML External Entity (XXE) Injection (Due 07/10/2020) [Snyk: High] XML External Entity (XXE) Injection (Due 07/10/2020) Jun 10, 2020
@hcaofec hcaofec mentioned this issue Jun 10, 2020
Closed
2 tasks
@fecjjeng fecjjeng mentioned this issue Jun 17, 2020
Closed
1 task
@johnnyporkchops johnnyporkchops mentioned this issue Jun 23, 2020
Closed
2 tasks
@lbeaufort lbeaufort added this to the Sprint 12.6 milestone Jun 24, 2020
@lbeaufort lbeaufort assigned lbeaufort and unassigned lbeaufort Jun 24, 2020
@jason-upchurch jason-upchurch mentioned this issue Jun 24, 2020
Merged
@jason-upchurch
Copy link
Contributor

fixed with following addition to build.gradle:

exclude group: 'com.google.guava', module: 'guava'
constraints {
    implementation('org.postgresql:postgresql:42.2.14.jre6')
}

@lbeaufort lbeaufort mentioned this issue Jul 9, 2020
Closed
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jason-upchurch jason-upchurch

Labels
Security: high Remediate within 30 days
Projects
None yet
Milestone
Sprint 12.6
Development

Successfully merging a pull request may close this issue.

resolve postgresql security vulnerability fecgov/openFEC
3 participants
@hcaofec @lbeaufort @jason-upchurch