CVE-2022-21724 vulnerability related to postgresql dependency #393
Comments
|
@stianst this has the area/dist/quarkus label, but we use 42.3.3 - so for quarkus it should be solved. Not sure how to proceed :) |
|
Indeed, the Quarkus distribution is not affected, only the Keycloak legacy. |
|
@stianst interesting enough, Snyk, Dependabot and depscan could not catch it https://snyk.io/vuln/maven:org.postgresql%3Apostgresql |
|
If it helps, this is what we are getting from AWS Inspector, which I believe uses Clair to scan for vulnerabilities. Also, thanks for the fix :) |
|
We don't bundle the PostgreSQL JDBC driver in the legacy WildFly distribution, only in the legacy container. The version specified in pom.xml is only used for testing purposes. @Painyjames I presume you are scanning the container image and not the ZIP distribution? |
|
That's correct, so I guess the fault might be there? |
|
@stianst out of curiosity, why you decided to reopen? |
Describe the bug
AWS Inspector has found a vulnerability related to the postgresql driver dependency.
The details of said vulnerability can be found here and can be sorted out if that dependency is not between this versions 42.3.0 and 42.3.2 or before 42.2.25.
Version
1.6.1
Expected behavior
No response
Actual behavior
No response
How to Reproduce?
No response
Anything else?
No response
The text was updated successfully, but these errors were encountered: