EDGAPIUTL-17: Upgrade aws-java-sdk, folio-spring-base, spring-boot-st…

…arter-web https://issues.folio.org/browse/EDGAPIUTL-17 Upgrade aws-java-sdk from 1.12.341 to 1.12.638. This removes the dependency and usage of software.amazon.ion:[email protected] that has an Allocation of Resources Without Limits or Throttling vulnerability: * https://nvd.nist.gov/vuln/detail/CVE-2024-21634 * aws/aws-sdk-java#3077 (comment) Upgrade spring-boot-starter-web from 3.1.1 to 3.1.8. The spring-boot-starter-web upgrade indirectly upgrades spring-web from 6.0.10 to 6.0.16 fixing Denial of Service (DoS): * https://nvd.nist.gov/vuln/detail/CVE-2023-34053 The spring-boot-starter-web upgrade indirectly upgrades tomcat-embed-core from 10.1.10 to 10.1.18 fixing multiple vulnerabilities: * Denial of Service (DoS): https://nvd.nist.gov/vuln/detail/CVE-2023-44487 * HTTP request smuggling: https://nvd.nist.gov/vuln/detail/CVE-2023-46589 * Access Restriction Bypass: https://nvd.nist.gov/vuln/detail/CVE-2023-41080 * HTTP request smuggling: https://nvd.nist.gov/vuln/detail/CVE-2023-45648 * Incomplete Cleanup: https://nvd.nist.gov/vuln/detail/CVE-2023-42795 Upgrade folio-spring-base from 7.2.0 to 7.2.2 to match the spring-boot-starter-web upgrade.
folio-org · Jan 24, 2024 · 4383e52 · 4383e52
1 parent 313f541
commit 4383e52
Showing 1 changed file with 8 additions and 2 deletions.
diff --git a/pom.xml b/pom.xml
@@ -12,7 +12,7 @@
     <java.version>17</java.version>
     <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
     <vault.version>5.1.0</vault.version>
-    <aws-java-sdk.version>1.12.341</aws-java-sdk.version>
+    <aws-java-sdk.version>1.12.638</aws-java-sdk.version>
     <versions-maven-plugin.version>2.13.0</versions-maven-plugin.version>
     <maven-enforcer-plugin.version>3.1.0</maven-enforcer-plugin.version>
     <maven-source-plugin.version>3.2.1</maven-source-plugin.version>
@@ -23,7 +23,7 @@
     <wiremock.version>2.35.0</wiremock.version>
     <mockito.version>4.6.1</mockito.version>
     <commons-lang3.version>3.12.0</commons-lang3.version>
-    <folio-spring-base.version>7.2.0</folio-spring-base.version>
+    <folio-spring-base.version>7.2.2</folio-spring-base.version>
   </properties>
 
   <dependencyManagement>
@@ -51,6 +51,12 @@
       <artifactId>folio-spring-system-user</artifactId>
       <version>${folio-spring-base.version}</version>
     </dependency>
+    <!-- remove spring-boot-starter-web when folio-spring-system-user ships with spring-boot-starter-web >= 3.1.8 -->
+    <dependency>
+      <groupId>org.springframework.boot</groupId>
+      <artifactId>spring-boot-starter-web</artifactId>
+      <version>3.1.8</version>
+    </dependency>
     <!-- we use log4j as our logging implementation -->
     <dependency>
       <groupId>org.apache.logging.log4j</groupId>