-
Notifications
You must be signed in to change notification settings - Fork 6.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CVE-2022-42889 - Apache Commons Text prior to 1.10.0 allows RCE #15915
Comments
@abstractj - I need your help in adding the appropriate labels here, I don't seem to have the ability to. |
@jsorah Thanks for submitting it Josh. Keycloak is not vulnerable to the issue mentioned, although it is affected, and we should upgrade. Currently, we are in the 2.13.5.Final release of Quarkus and we need to keep those dependencies in sync. Considering that this not critical, I'd say that it is safe to wait for the next Quarkus update on 2.13.x, or the next Keycloak upgrade to 2.14.x next year. @keycloak/cloud-native-team @keycloak/storage-x do you have any other suggestions? |
I think we are affected because even though script execution is disabled by default (tech preview) feature, you should be able to use classes from
I think we should be able to fix this CVE if we change the
From what I seem, |
@pedroigor +1 about your idea |
@pedroigor - The Ex:
EDIT: Actually what I said is incorrect for what Keycloak is doing - this is an artifact from a different process / older version of liquibase. maven exclusion should work for Keycloak as of now. |
If I'm reading right, the first release of quarkus that includes the liquibase upgrade is 2.15.0 (quarkusio/quarkus@387578a) Given that we seem to have a way to work around this with @pedroigor 's suggestion, I think we can wait until our quarkus is upgraded to 2.15.0 or higher and then update liquibase accordingly. |
Description
Description
Detailed paths
liquibase.version
defined as 4.16.1 in pom.xmlOverview
Repackaged transitive dependency org.apache.commons:commons-text included by org.liquibase:liquibase-core is vulnerable to CVE-2022-42889.
Remediation
Upgrade
org.liquibase:liquibase-core
to version 4.17.1 or higher.References
NVD Entry
Keycloak Defined Liquibase Version
Liquibase Release Including Fixed Dependency
Liquibase Commit Addressing Dependency
The text was updated successfully, but these errors were encountered: