Skip to content

v9.2.0 Provides transitive vulnerable dependency maven:com.google.guava:guava:31.1-jre #899

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
hmzgtl16 opened this issue Dec 29, 2023 · 8 comments · Fixed by #948
Closed

v9.2.0 Provides transitive vulnerable dependency maven:com.google.guava:guava:31.1-jre #899

hmzgtl16 opened this issue Dec 29, 2023 · 8 comments · Fixed by #948
Assignees
@lahirumaramba
Labels
api: core

Comments

@hmzgtl16
Copy link

CVE-2023-2976 7.1 Files or Directories Accessible to External Parties vulnerability with High severity foun
@google-oss-bot
Copy link

I couldn't figure out how to label this issue, so I've labeled it for a human to triage. Hang tight.

@Malnen
Copy link

Malnen commented Feb 8, 2024

Does anyone know when it will be fixed?

@Chikouni
Copy link

Chikouni commented Mar 29, 2024
edited
Loading

UPDATE:
There is another in v9.2.0 : CVE-2024-29025 due from io.netty:netty-codec-http 4.1.107.Final

@cybersokari
Copy link

cybersokari commented Apr 16, 2024
edited
Loading

While we wait for this to be resolved, you can override Guava from Firebase Admin SDK with a version that does not have a breaking change.

Screenshot 2024-04-16 at 16 17 45

@jedjebari
Copy link

Overriding transitive deps might be dangerous, and should be avoided :-(
Any news on that ?

@yssoe
Copy link

yssoe commented Apr 26, 2024

https://www.cnbc.com/2024/04/23/google-search-boss-raghavan-warns-employees-of-new-operating-reality.html

Maybe other bosses can take a hint from their colleague.

@lahirumaramba lahirumaramba self-assigned this May 7, 2024
@lahirumaramba lahirumaramba linked a pull request May 21, 2024 that will close this issue
[chore] Release 9.3.0 #948
Merged
@lahirumaramba
Copy link
Member

Thanks folks, this should be now fixed in the latest release (v9.30)

@AndyCodez
Copy link

Thanks folks, this should be now fixed in the latest release (v9.30)

Thanks for the update! But I believe that should read v9.3.0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@lahirumaramba lahirumaramba

Labels
api: core
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[chore] Release 9.3.0 firebase/firebase-admin-java
9 participants
@lahirumaramba @AndyCodez @Chikouni @cybersokari @jedjebari @yssoe @google-oss-bot @hmzgtl16 @Malnen