Common Maven fixes for transitive CVEs

Published Sep 24, 2021

CVE-2021-29425 - commons-io vulnerability fix

Apache commons-io versions 2.6 or below contain a vulnerability in the FileNameUtils class that opens an application up to directory traversal attacks. Paths containing ../ will not be normalized resulting in a path being passed that could cause the application to access files unintended by the developer.

Older versions of Spring-Web, SnakeYAML, HTTPClient, Hadoop, Spark, ZooKeeper, Selenium, AWS API, and many more may include this dependency and the vulnerable versions.

The following example shows you how to fix the CVE-2021-29425 transitive dependency vulnerability within the hadoop-client:

<dependencies>
    <dependency>
        <groupId>org.apache.hadoop</groupId>
        <artifactId>hadoop-client</artifactId>
        <version>3.3.0</version>
        <exclusions>
            <!-- exclude the vulnerable import (version 2.6 and lower) -->
            <exclusion>
                <groupId>commons-io</groupId>
                <artifactId>commons-io</artifactId>
            </exclusion>
        </exclusions>
    </dependency>
    
    <!-- Fix CVE-2021-29425 by replacing commons-io with the new secure version 2.7 -->
    <dependency>
        <groupId>commons-io</groupId>
        <artifactId>commons-io</artifactId>
        <version></version>
    </dependency>
</dependencies>

CVE-2021-28168 jersey-common vulnerability fix for Spring Boot

CVE-2021-28168 is an issue within the Jersey project which could potentially result in temporary files being written using permissions that are viewable by other local users.

This vulnerability affects the Spring Boot Jersey Starter dependency in versions 2.3.x and 2.4.x. Here is how to fix this vulnerability using dependency exclusion within Maven:

<dependencies>
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-jersey</artifactId>
        <exclusions>
            <!-- Fix CVE-2021-28168 - exclude the vulnerable import (2.33 and lower) -->
            <exclusion>
                <groupId>org.glassfish.jersey.core</groupId>
                <artifactId>jersey-server</artifactId>
            </exclusion>
        </exclusions>
    </dependency>
    
    <!-- Fix CVE-2021-28168 - import the latest, fixed version (2.34) -->
    <dependency>
        <groupId>org.glassfish.jersey.core</groupId>
        <artifactId>jersey-server</artifactId>
        <version>2.34</version>
    </dependency>
    
</dependencies>

CVE-2021-28170 Jakarta.el fix for Spring Boot

The Jakarta expression language dependency is buried within the Spring Boot Jersey Starter and it contains an open vulnerability in versions 3.0.3 and lower. You can fix this easily by forcing the patched version 3.0.4 in Maven like so:

<dependencies>
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-jersey</artifactId>
        <exclusions>
            <!-- Fix CVE-2021-28170 - exclude the vulnerable import (3.0.3 and lower) -->
            <exclusion>
                <!-- org.glassfish:jakarta.el:3.0.3 -->
                <groupId>org.glassfish</groupId>
                <artifactId>jakarta.el</artifactId>
            </exclusion>
        </exclusions>
    </dependency>
    
    <!-- Fix CVE-2021-28170 - import the latest, fixed version (3.0.4) -->
    <dependency>
        <groupId>org.glassfish</groupId>
        <artifactId>jakarta.el</artifactId>
        <version>3.0.4</version>
    </dependency>
    
</dependencies>