Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2022-42920 Critical org.apache.bcel propagated in 3.3.0 google/allocation-instrumenter #47

Closed
c3ivodujmovic opened this issue Nov 21, 2022 · 1 comment · Fixed by #49
Closed

CVE-2022-42920 Critical org.apache.bcel propagated in 3.3.0 google/allocation-instrumenter #47

c3ivodujmovic opened this issue Nov 21, 2022 · 1 comment · Fixed by #49

Comments

@c3ivodujmovic
Copy link

google/allocation-instrumenter contains
org.apache.bcel:bcel v6.0 which has CVE-2022-42920 | CRITICAL |
This is fixed in bcel 6.6.0
Apache Commons BCEL vulnerable to out-of-bounds write --> avd.aquasec.com/nvd/cve-2022-42920
c3ivodujmovic added a commit to c3ivodujmovic/allocation-instrumenter that referenced this issue Nov 21, 2022
@c3ivodujmovic
CVE-2022-42920 update bcel to 6.6.1
f480320 
google#47
@c3ivodujmovic c3ivodujmovic mentioned this issue Nov 21, 2022
Closed
@ivo2d
Copy link

ivo2d commented Dec 13, 2022

@cgdecker any chance you can fix the current cve's?
There is also https://nvd.nist.gov/vuln/detail/CVE-2020-8908 fixed in guava 30.0, and https://nvd.nist.gov/vuln/detail/CVE-2020-15250 fixed in junit 4.13.1

cpovirk added a commit to cpovirk/allocation-instrumenter that referenced this issue Feb 23, 2023
@cpovirk
Export recent changes to GitHub.
ba7ebd2 
Primarily, this means cl/511470745, but it probably includes bits from
cl/511754220, cl/509629252, cl/509559717, cl/506904697, cl/482820733,
and perhaps others.

cl/511470745 said:

Update dependency versions and add rules/scripts to allow releasing to
Maven Central without building using Maven.

Fixes google#47
Fixes google#43
Fixes google#39

PiperOrigin-RevId: 511754220
@cpovirk cpovirk mentioned this issue Feb 23, 2023
Merged
cpovirk added a commit that referenced this issue Mar 2, 2023
@cpovirk
Export recent changes to GitHub.
d4be195 
Primarily, this means cl/511470745, but it probably includes bits from
cl/511754220, cl/509629252, cl/509559717, cl/506904697, cl/482820733,
and perhaps others.

cl/511470745 said:

Update dependency versions and add rules/scripts to allow releasing to
Maven Central without building using Maven.

Fixes #47
Fixes #43
Fixes #39

(#49)

PiperOrigin-RevId: 511754220
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Export recent changes to GitHub. cpovirk/allocation-instrumenter
2 participants
@ivo2d @c3ivodujmovic