CVE-2022-36944 - Scala vulnerability with 9.8 score

Question

CVE-2022-36944 - Scala vulnerability with 9.8 score

crea1 opened this issue 2 years ago · comments

Marius Haugli Kristensen commented 2 years ago

Hi 👋

Currently our dependency checks started failing on SwayDB due to the scala libraries related to this CVE https://nvd.nist.gov/vuln/detail/CVE-2022-36944

[ERROR] scala-library-2.13.8.jar: CVE-2022-36944(9.8)
[ERROR] scala-reflect-2.13.0.jar: CVE-2022-36944(9.8)

We are using

    <dependency>
      <groupId>io.swaydb</groupId>
      <artifactId>java_2.13</artifactId>
      <version>0.16.2</version>
    </dependency>

Seems that these are fixed in scala-library 2.13.9, latest being 2.13.10 as of writing.

Would be super nice to get patch on this.

Thank you for SwayDB ❤️

Kind regards,
Marius

Simer · Answer 1 · Mon Oct 24 2022 20:38:27 GMT+0800 (China Standard Time)

Hey! Thank you for reporting this. This is something that should definitely be sorted out.

Just FYI, SwayDB's last release was 2 years ago and is over 400 commits behind new updates.

I have not been able to figure out how to continue SwayDB's development. Time being the biggest factor. So I'm not sure when this issue will be resolved.

Thanks heaps for reporting this.

Marius Haugli Kristensen · Answer 2 · Wed Oct 26 2022 15:57:13 GMT+0800 (China Standard Time)

Thank you for replying! I totally understand your situation. But at least now you are aware should you some day find the extra time.

Cheers!