Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Security issue
See original GitHub issueThere is a moderate vulnerability in one of your dependencies
Vulnerable module: com.google.guava:guava
Libraries affected:
-
io.springfox:springfox-swagger2@2.9.2
-
io.springfox:springfox-swagger-ui@2.9.2
Explanation:
com.google.guava:guava is a set of core libraries that includes new collection types (such as multimap and multiset,immutable collections, a graph library, functional types, an in-memory cache and more.
Affected versions of this package are vulnerable to Deserialization of Untrusted Data.
During deserialization, two Guava classes accept a caller-specified size parameter and eagerly allocate an array of that size:
AtomicDoubleArray(when serialized with Java serialization)CompoundOrdering(when serialized with GWT serialization)
An attacker may be able to send a specially crafted request which with then cause the server to allocate all it’s memory, without validation whether the data size is reasonable.
You have to update this dependency to solve the issue.
Issue Analytics
- State:
- Created 5 years ago
- Reactions:2
- Comments:7
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
Hello, just want to also bring up this additional security issue with earlier versions of guava - https://nvd.nist.gov/vuln/detail/CVE-2018-10237
This issue has been automatically closed because it has not had recent activity. Please re-open a new issue if this is still an issue.