Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

bug: room-compiler:2.5.1: vulnerabilities - Sqlite-jdbc addresses a remote code execution vulnerability via JDBC URL #587

Closed
Avani-A-S opened this issue Sep 9, 2024 · 5 comments · Fixed by #588
Labels
bug/fix Something isn't working platform: android Android platform

Comments

@Avani-A-S
Copy link

Versions: 6.0.1 and older versions as well

Sqlite-jdbc addresses a remote code execution vulnerability via JDBC URL

Platform(s):
Android

Current behavior:
annotationProcessor 'androidx.room:room-compiler:2.5.1'

This dependency has vulnerabilities:
GHSA-6phf-6h5g-97j2
https://ossindex.sonatype.org/vuln/CVE-2023-32697
https://ossindex.sonatype.org/vulnerability/CVE-2020-8908?component-type=maven&component-name=com.google.guava%2Fguava&utm_source=dependency-track&utm_medium=integration&utm_content=v4.11.6
GHSA-5mg8-w23w-74h3
https://ossindex.sonatype.org/vulnerability/CVE-2023-2976?component-type=maven&component-name=com.google.guava%2Fguava&utm_source=dependency-track&utm_medium=integration&utm_content=v4.11.6

Expected behavior:
Is there any plan to update the room-compiler version to fix vulnerabilities?

@robingenz
Copy link
Member

I updated androidx.room:room-compiler to the latest stable version (2.6.1). This is a pre-release:

npm i @capacitor-community/[email protected]

Please let me know if your issue is resolved.

@robingenz robingenz added platform: android Android platform and removed needs: triage labels Sep 9, 2024
@Avani-A-S
Copy link
Author

Thanks a lot for the quick action.

It turns out that, in order to check this, I need to apply too many major updates in my projects and even capacitor version upgrades that I am not to be finish due to other conflicting packages. (This is definitely planned in future but not right now.)

Just wanted to check if I can request this change to be applied to older version "@capacitor-community/sqlite": "^5.7.4".

I believe in this case I'll be able to quickly able check without major version conflicts and conclude on security issue.

@robingenz
Copy link
Member

Here you go:

npm i @capacitor-community/[email protected]

@Avani-A-S
Copy link
Author

@robingenz
The Critical and High Severity issue related to Sqlite-jdbc vulnerability are now resolved in this version. Thanks!

Other issues are still there as "androidx.room:room-compiler 2.6.1" is dependent on "com.google.guava 31.1-jre", but I guess we need to wait for room-compiler's next stable version for that.

For Reference on guava vulnerabilities.
https://ossindex.sonatype.org/vulnerability/CVE-2023-2976?component-type=maven&component-name=com.google.guava%2Fguava&utm_source=dependency-track&utm_medium=integration&utm_content=v4.11.6

GHSA-7g45-4rm6-3mm3

GHSA-5mg8-w23w-74h3

https://ossindex.sonatype.org/vulnerability/CVE-2020-8908?component-type=maven&component-name=com.google.guava%2Fguava&utm_source=dependency-track&utm_medium=integration&utm_content=v4.11.6

@robingenz
Copy link
Member

The Critical and High Severity issue related to Sqlite-jdbc vulnerability are now resolved in this version. Thanks!

Thank you, i will publish a new release.

Other issues are still there as "androidx.room:room-compiler 2.6.1" is dependent on "com.google.guava 31.1-jre", but I guess we need to wait for room-compiler's next stable version for that.

Yes

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Nov 11, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
bug/fix Something isn't working platform: android Android platform
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants