fix CVE-2023-42503

FraunhoferIOSB · Sep 18, 2023 · 3add9b9 · 3add9b9
1 parent 9f05566
commit 3add9b9
Show file tree

Hide file tree

Showing 3 changed files with 27 additions and 0 deletions.
diff --git a/core/pom.xml b/core/pom.xml
@@ -157,6 +157,12 @@
             <artifactId>classgraph</artifactId>
             <version>${classgraph.version}</version>
         </dependency>
+        <!-- Fixes CVE-2023-42503 -->
+        <dependency>
+            <groupId>org.apache.commons</groupId>
+            <artifactId>commons-compress</artifactId>
+            <version>${commons.compress.version}</version>
+        </dependency>
         <dependency>
             <groupId>org.apache.commons</groupId>
             <artifactId>commons-lang3</artifactId>
@@ -177,6 +183,13 @@
             <groupId>org.apache.poi</groupId>
             <artifactId>poi-ooxml</artifactId>
             <version>${poi.ooxml.version}</version>
+            <exclusions>
+                <!-- Fixes CVE-2023-42503 -->
+                <exclusion>
+                    <groupId>org.apache.commons</groupId>
+                    <artifactId>commons-compress</artifactId>
+                </exclusion>
+            </exclusions>
         </dependency>
         <dependency>
             <groupId>org.bouncycastle</groupId>

diff --git a/model/pom.xml b/model/pom.xml
@@ -55,6 +55,12 @@
             <artifactId>classgraph</artifactId>
             <version>${classgraph.version}</version>
         </dependency>
+        <!-- Fixes CVE-2023-42503 -->
+        <dependency>
+            <groupId>org.apache.commons</groupId>
+            <artifactId>commons-compress</artifactId>
+            <version>${commons.compress.version}</version>
+        </dependency>
         <dependency>
             <groupId>org.apache.commons</groupId>
             <artifactId>commons-lang3</artifactId>
@@ -64,6 +70,13 @@
             <groupId>org.apache.jena</groupId>
             <artifactId>jena-shacl</artifactId>
             <version>${jena.version}</version>
+            <!-- Fixes CVE-2023-42503 -->
+            <exclusions>
+                <exclusion>
+                    <groupId>org.apache.commons</groupId>
+                    <artifactId>commons-compress</artifactId>
+                </exclusion>
+            </exclusions>
         </dependency>
         <dependency>
             <groupId>org.slf4j</groupId>

diff --git a/pom.xml b/pom.xml
@@ -77,6 +77,7 @@
         <checkstyle.version>10.12.3</checkstyle.version>
         <classgraph.version>4.8.162</classgraph.version>
         <commons.codec.version>1.16.0</commons.codec.version>
+        <commons.compress.version>1.24.0</commons.compress.version>
         <commons.io.version>2.13.0</commons.io.version>
         <commons.lang3.version>3.13.0</commons.lang3.version>
         <container.image.name>fraunhoferiosb/faaast-service</container.image.name>