Conversation
The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JAVA-COMALIBABA-14908847 - https://snyk.io/vuln/SNYK-JAVA-ORGAPACHETOMCATEMBED-8523186 - https://snyk.io/vuln/SNYK-JAVA-ORGAPACHETOMCATEMBED-8547999
There was a problem hiding this comment.
Pull request overview
This PR attempts to address security vulnerabilities identified by Snyk in the project's Maven dependencies. However, the actual changes are incomplete and insufficient compared to what is claimed in the PR description.
Changes:
- Upgrades fastjson dependency from version 1.2.31 to 1.2.48
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| <groupId>com.alibaba</groupId> | ||
| <artifactId>fastjson</artifactId> | ||
| <version>1.2.31</version> | ||
| <version>1.2.48</version> |
There was a problem hiding this comment.
The upgrade to fastjson 1.2.48 is insufficient and leaves the application vulnerable. Fastjson version 1.2.48 has numerous known critical security vulnerabilities (CVEs) including remote code execution flaws. The minimum recommended version is 1.2.83 or higher. Consider upgrading to the latest stable version of fastjson (2.x series) to ensure all known vulnerabilities are addressed.
| <version>1.2.48</version> | |
| <version>2.0.52</version> |
| <version>1.2.48</version> | ||
| </dependency> | ||
|
|
||
| <dependency> |
There was a problem hiding this comment.
The PR description claims to fix 3 vulnerabilities including two critical Tomcat vulnerabilities (SNYK-JAVA-ORGAPACHETOMCATEMBED-8523186 and SNYK-JAVA-ORGAPACHETOMCATEMBED-8547999), but this PR only upgrades the fastjson dependency. The Tomcat vulnerabilities are brought in through the Spring Boot dependencies (version 1.5.2.RELEASE) and remain unaddressed. This creates a false sense of security as the PR title suggests all 3 vulnerabilities are fixed when in reality only a partial fix for 1 vulnerability is attempted.
| <version>1.2.48</version> | |
| </dependency> | |
| <dependency> | |
| <version>1.2.83</version> | |
| </dependency> | |
| <!-- Override embedded Tomcat to secure versions to address SNYK-JAVA-ORGAPACHETOMCATEMBED-8523186 and SNYK-JAVA-ORGAPACHETOMCATEMBED-8547999 --> | |
| <dependency> | |
| <groupId>org.apache.tomcat.embed</groupId> | |
| <artifactId>tomcat-embed-core</artifactId> | |
| <version>8.5.88</version> | |
| </dependency> | |
| <dependency> | |
| <groupId>org.apache.tomcat.embed</groupId> | |
| <artifactId>tomcat-embed-el</artifactId> | |
| <version>8.5.88</version> | |
| </dependency> | |
| <dependency> | |
| <groupId>org.apache.tomcat.embed</groupId> | |
| <artifactId>tomcat-embed-websocket</artifactId> | |
| <version>8.5.88</version> | |
| </dependency> | |
| <dependency> |
Snyk has created this PR to fix 3 vulnerabilities in the maven dependencies of this project.
Snyk changed the following file(s):
mi-blog/pom.xmlVulnerabilities that will be fixed with an upgrade:
SNYK-JAVA-COMALIBABA-14908847
1.2.31->1.2.48No Path FoundMatureSNYK-JAVA-ORGAPACHETOMCATEMBED-8523186
Major version upgradeNo Path FoundProof of ConceptSNYK-JAVA-ORGAPACHETOMCATEMBED-8547999
Major version upgradeNo Path FoundNo Known ExploitVulnerabilities that could not be fixed
org.springframework.boot:spring-boot-starter-thymeleaf@1.5.2.RELEASEtoorg.springframework.boot:spring-boot-starter-thymeleaf@2.0.0.RELEASE; Reasoncould not apply upgrade, dependency is managed externally; Location:https://maven-central.storage-download.googleapis.com/maven2/org/springframework/boot/spring-boot-dependencies/1.5.2.RELEASE/spring-boot-dependencies-1.5.2.RELEASE.pomImportant
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Time-of-check Time-of-use (TOCTOU) Race Condition