...
Dependency | Updated from version | Updated to version | Description | ||||
---|---|---|---|---|---|---|---|
com.github.spotbugs:spotbugs-maven-plugin@4.1.3 | 4.1.3 | 4.5.0.0 | Maven plugin wrapper for spotbugs, used for static security analysis of source code | ||||
com.github.spotbugs:spotbugs | 4.1.4 | 4.5.2 | Static analysis tool used for security analysis of source code | ||||
com.google.guava:guava | 30.0-jre | 31.0.1-jre | |||||
org.slf4j:slf4j-log4j12 | 1.7.22 | 1.7.32 | Logging framework | ||||
org.slf4j:slf4j-api | 1.7.22 | 1.7.32 | Logging framework | ||||
org.eclipse.jetty:jetty-server | 9.4.35.v20201120 | 9.4.44.v20210927 | |||||
org.eclipse.jetty:jetty-servlet | 9.4.35.v20201120 | 9.4.44.v20210927 | |||||
com.squareup.okhttp3:okhttp | 4.9.1 | 4.9.3 | Library used to handle HTTP requests in OIDC | ||||
org.jetbrains.kotlin:kotlin-stdlib | 1.4.10 | 1.6.10 | Library used to handle http components in okhttp | ||||
org.json:json | 20180813 | 20210307 | Library used for managing JSON objects. | ||||
org.apache.commons:commons-lang | 2.x | org.apache.commons:commons-lang3@3.12.0 | Provided dependency with vulnerabilities, now drawn in exclicitly. | ||||
commons-io | [2.0, 2.4] | 2.11 | Vulnerabilities patched. See more details in the table under Vulnerabilities fixed | ||||
commons-codec:commons-codec | 1.10 | 1.15 | Vulnerabilities patched. See more details in the table under Vulnerabilities fixed | ||||
org.bouncycastle.bcpkix | org.bouncycastle.bcpkix-jdk15on@1.59 | org.bouncycastle.bcpkix-jdk15to18@1.70 | Vulnerabilities patched. See more details in the table under Vulnerabilities fixed | org.opensaml:opensaml-saml-impl | 3.4.5 | 3.4.6 | Updated to latest version compatible with Java 8 environment |
...
Vulnerability | Vulnerable dependency | Fix update | Patched in 5.3.1 | Description | |||||
---|---|---|---|---|---|---|---|---|---|
CVE-2021-29425 | commons-io@[2.0, 2.4] | commons-io@2.11 |
| Updated dependency from both transitive libraries and | |||||
CWE-200 CVE-2020-13956 | commons-codec:commons-codec@1.10 | commons-codec:commons-codec@1.15 |
| Vulnerabilities were fixed in 1.13, we updated to 1.15. | |||||
CVE-2020-9488 | log4j 1.2.17 | N/A | Log4j is provided by the Atlassian host system with the Atlassian-managed fork of Log4j. We perform all our logging using the Slf4j framework, leaving the log4j API version to the Host system. This will have to be addressed by Atlassian. | CVE-2020-26939, | org.bouncycastle.bcpkix-jdk15on@1.59 | org.bouncycastle.bcpkix-jdk15to18@1.70 |
| Updated to latest version of Bouncy castles, 1.70 in our SAML library, which while compiled in Java 16, has files compatible with Java 8 published in the .jar. Note that older versions of Bouncy castles also exist as a transitive, provided dependency from the Atlassian host system. | |
CVE-2020-27223, CVE-2021-28163, CVE-2021-28165, CVE-2021-28169, CVE-2021-34428 | jetty-http-9.4.35.v20201120 | org.eclipse.jetty:jetty-server@9.4.44.v20210927 |
| ||||||
CVE-2021-28165 | jetty-io-9.4.35.v20201120 | org.eclipse.jetty@9.4.44.v20210927 |
| ||||||
CVE-2020-15824, CVE-2020-29582 | kotlin-stdlib-common@1.4.0 | org.jetbrains.kotlin:kotlin-stdlib@1.6.10 |
|
...