[Question] Is there a plan to fix the vulnerabilities in the dependency software? #1497

minchai23 · 2024-05-25T07:32:24Z

Search before asking

I had searched in the issues and found no similar issues.

Question

CVE-2023-39017 in Quartz 2.3.2，API misuse of org.quartz.jobs.ee.jms.SendQueueMessageJob.execute would lead the code injection vulnerability. quartz-scheduler/quartz#943
Other Vulnerabilities in Spring Boot's dependent software

The text was updated successfully, but these errors were encountered:

lprimak · 2024-05-25T16:53:37Z

Yes. We run security scans and dependabot to keep dependencies up to date.
Currently, Security scans do not show any vulnerabilities in Shiro.

There are no current vulnerabilities listed in "Spring Boot's dependent software" that we are aware of.

I do not believe Shiro has is actually using vulnerability in the above CVE, so it doesn't really apply here.
Also, looks like Quartz scheduler is abandoned.

I am going to close this issue. Will leave your PR open under discussion in Slack

minchai23 added the question label May 25, 2024

minchai23 mentioned this issue May 25, 2024

update quartz to 2.4.0-rc2, fix CVE-2023-39017 #1498

Merged

lprimak closed this as not planned Won't fix, can't repro, duplicate, stale May 25, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Question] Is there a plan to fix the vulnerabilities in the dependency software? #1497

[Question] Is there a plan to fix the vulnerabilities in the dependency software? #1497

minchai23 commented May 25, 2024 •

edited

Loading

lprimak commented May 25, 2024

[Question] Is there a plan to fix the vulnerabilities in the dependency software? #1497

[Question] Is there a plan to fix the vulnerabilities in the dependency software? #1497

Comments

minchai23 commented May 25, 2024 • edited Loading

Search before asking

Question

lprimak commented May 25, 2024

minchai23 commented May 25, 2024 •

edited

Loading