-
Notifications
You must be signed in to change notification settings - Fork 780
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feign-form uses commons-fileupload 1.4 with High Sev CVE #853
Comments
Hello @vstoyanov, thanks for reporting the issue. That dependency is still under official maintenance by the OpenFeign team. A PR has been submitted to fix the issue. We will monitor what is happening to that PR and try to offer a workaround if necessary. |
Have overridden it in Spring Cloud OpenFeign. Workaround can be removed once it's been fixed in Feign-Form. |
I'm not sure if this fixes the problem. If I'm not mistaken just changing a dependency version isn't enough. https://devhub.checkmarx.com/cve-details/CVE-2023-24998/ A new config FileUploadBase#setFileCountMax should be enabled also, so I guess we still need a collaboration with OpenFeign team |
Hi @mgbardakov, thanks for bringing this up, it's a good point. However, in order to verify this, I have gone through the code in |
With the last release 4 years ago and the last accepted pull request about 3 years ago, by all means it is a dead project now. It brings a High Sev CVE to the dependency graph, which is not really nice and certainly not in line with the rest of Spring Framework.
Over the weekend I will do some research on what it could be replaced with and report back.
The text was updated successfully, but these errors were encountered: