Vulnerabilities in dependencies #1271
Description
There are several vulnerabilities in the dependencies. Trivy currently reports the following:
| Library | Vulnerability | Severity | Status | Installed Version | Fixed Version | Title |
|---|---|---|---|---|---|---|
| ch.qos.logback:logback-core (robot.jar) | CVE-2024-12798 | MEDIUM | fixed | 1.5.6 | 1.5.13, 1.3.15 | logback-core: arbitrary code execution via JaninoEventEvaluator |
| CVE-2025-11226 | MEDIUM | fixed | 1.5.6 | 1.5.19, 1.3.16 | Conditional arbitrary code execution in logback-core | |
| CVE-2024-12801 | LOW | fixed | 1.5.6 | 1.5.13, 1.3.15 | SaxEventRecorder SSRF vulnerability | |
| com.fasterxml.jackson.core:jackson-databind (robot.jar) | CVE-2020-36518 | HIGH | affected | 2.11.3 | 2.13.2.1, 2.12.6.1 | DoS via deeply nested objects |
| CVE-2021-46877 | HIGH | affected | 2.11.3 | 2.12.6, 2.13.1 | Possible DoS if using JDK serialization on JsonNode | |
| CVE-2022-42003 | HIGH | affected | 2.11.3 | 2.12.7.1, 2.13.4.2 | Deep wrapper array nesting issue with UNWRAP_SINGLE_VALUE_ARRAYS | |
| CVE-2022-42004 | HIGH | affected | 2.11.3 | 2.12.7.1, 2.13.4 | Deeply nested arrays cause resource exhaustion | |
| com.google.guava:guava (robot.jar) | CVE-2023-2976 | MEDIUM | affected | 31.1-jre | 32.0.0-android | Insecure temporary directory creation |
| CVE-2020-8908 | LOW | affected | 31.1-jre | — | Local information disclosure via temporary directory permissions | |
| commons-beanutils:commons-beanutils (robot.jar) | CVE-2025-48734 | HIGH | affected | 1.9.4 | 1.11.0 | PropertyUtilsBean does not suppress enum declaredClass exposure |
| commons-lang:commons-lang (robot.jar) | CVE-2025-48924 | MEDIUM | affected | 2.6 | — | Uncontrolled recursion vulnerability |
| org.apache.commons:commons-lang3 (robot.jar) | — | — | fixed | 3.11 | 3.18.0 | — |
| org.apache.commons:commons-text (robot.jar) | CVE-2022-42889 | CRITICAL | affected | 1.9 | 1.10.0 | Variable interpolation RCE |
| org.apache.james:apache-mime4j-core (robot.jar) | CVE-2024-21742 | MEDIUM | affected | 0.7.2 | 0.8.10 | Header injection vulnerability |
| org.apache.jena:jena-core (robot.jar) | CVE-2021-39239 | HIGH | affected | 3.17.0 | 4.2.0 | XML processing vulnerability |
| org.yaml:snakeyaml (robot.jar) | CVE-2022-1471 | HIGH | affected | 1.31 | 2.0 | Constructor deserialization RCE |
| CVE-2022-38752 | MEDIUM | affected | 1.31 | 1.32 | Uncaught exception in ArrayList.hashCode | |
| CVE-2022-41854 | MEDIUM | affected | 1.31 | — | DoS via stack overflow |
We have a forked branch with updated dependencies fixing the vulnerabilities https://github.com/eccenca/robot/tree/feature/updateDependencies:
| Library | Updated Version |
|---|---|
| com.google.guava:guava | 33.5.0-jre |
| ch.qos.logback:logback-classic | 1.5.21 |
| org.apache.jena:jena-arq | 4.10.0 |
| org.apache.jena:jena-tdb | 4.10.0 |
| org.apache.poi:poi | 5.5.1 |
| org.apache.poi:poi-ooxml | 5.5.1 |
| org.yaml:snakeyaml | 2.5 |
| com.opencsv:opencsv | 5.12.0 |
| com.fasterxml.jackson.core:jackson-core | 2.20.1 |
| com.fasterxml.jackson.dataformat:jackson-dataformat-yaml | 2.20.1 |
| com.fasterxml.jackson.core:jackson-annotations | 2.20 |
| org.apache.james:apache-mime4j-core | 0.8.13 |
| org.apache.commons:commons-lang3 | 3.20.0 |
| commons-lang:commons-lang | exclusion |