Transitive dependency on commons-io 2.2, which is vulnerable

[bogdanb]

Serverless Java Container version: 1.9

Implementations: Spring Boot 2

Framework version: SpringBoot 2.6.6

Frontend service: N/A

Deployment method: N/A

Scenario

I’m using com.amazonaws.serverless:aws-serverless-java-container-springboot2:1.9 in a project, built using Gradle if it matters. This pulls in commons-io:2.2 via the following chain:

• (root project)
• com.amazonaws.serverless:aws-serverless-java-container-springboot2:1.9
• com.amazonaws.serverless:aws-serverless-java-container-core:1.9
• commons-fileupload:commons-fileupload:1.4
• commons-io:commons-io:2.2

The release notes for version 1.8 contain the claim:

Explicitly set commons-io version to 2.11.0 to avoid older transitive dependency version (CVE-2021-29425)

But that does not seem to work. I actually looked through the pom.xml files for both 1.8 and 1.9 and I can’t find any trace of this. Maybe a relevant commit was accidentally dropped?

[deki]

Thanks for raising it, the change is here: https://github.com/awslabs/aws-serverless-java-container/blob/main/aws-serverless-java-container-core/pom.xml#L103
Will take a closer look next week...

[deki]

Asked for a new fileupload release: https://lists.apache.org/thread/t6zqknf84gkk0dr359hmf4okf57shvd6

Waiting for a response, otherwise will manage the dependency explicitly.

[deki]

Next commons-fileupload release will happen next year so for now I added the dependency explicitly.

[deki]

Released as part of version 1.9.1.