Vulnerabilities affecting Spring Cloud Skipper

[FraPazGal]

Hi team,

Running a Trivy vulnerabilities scan through the Spring Cloud Skipper container image returned some CVEs affecting the latest SNAPSHOT release, 2.11.0-SNAPSHOT, that I couldn't find any info on:

• CVE-2022-45868, related to h2databse
• CVE-2023-1370, related to json-smart
• CVE-2016-1000027, related to spring-web

Could you confirm whether the Skipper is affected by these vulnerabilities and if so, are there plans to update the related dependencies?

Steps to reproduce:

$ trivy image --vuln-type library springcloud/spring-cloud-skipper-server:2.11.0-SNAPSHOT

[corneil]

spring-cloud-skipper 2.11.0-SNAPSHOT is now part of the mono-repo spring-cloud-dataflow.
The main branch here represents 2.10.4-SNAPSHOT.

CVE-2022-45868 is unavoidable because we include H2 driver for demonstration purposes. We don't advise anyone using it in a production environment.

CVE-2016-1000027 is mitigated because we only accept application/json in POST requests. It requires accepting and expecting to deserialize a Java Object.

CVE-2023-1370 is reported because of a bug in Trivy. aquasecurity/trivy#4192

[FraPazGal]

Thanks a lot for the detailed response @corneil! If it is okay with you, I'll use this issue to report a few new CVEs from a vulnerability scan I recently run:

• CVE-2023-2976, related to guava
• CVE-2023-34453, CVE-2023-34454 and CVE-2023-34455, related to snappy-java
• CVE-2023-34462, related to netty-handler
• CVE-2023-3635, related to okio
• CVE-2023-34034 and CVE-2023-34036, related to spring-hateoas

Edited: added new CVEs.