-
Notifications
You must be signed in to change notification settings - Fork 122
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
bug: room-compiler:2.5.1: vulnerabilities - Sqlite-jdbc addresses a remote code execution vulnerability via JDBC URL #587
Comments
I updated
Please let me know if your issue is resolved. |
Thanks a lot for the quick action. It turns out that, in order to check this, I need to apply too many major updates in my projects and even capacitor version upgrades that I am not to be finish due to other conflicting packages. (This is definitely planned in future but not right now.) Just wanted to check if I can request this change to be applied to older version "@capacitor-community/sqlite": "^5.7.4". I believe in this case I'll be able to quickly able check without major version conflicts and conclude on security issue. |
Here you go:
|
@robingenz Other issues are still there as "androidx.room:room-compiler 2.6.1" is dependent on "com.google.guava 31.1-jre", but I guess we need to wait for room-compiler's next stable version for that. For Reference on guava vulnerabilities. |
Thank you, i will publish a new release.
Yes |
Versions: 6.0.1 and older versions as well
Sqlite-jdbc addresses a remote code execution vulnerability via JDBC URL
Platform(s):
Android
Current behavior:
annotationProcessor 'androidx.room:room-compiler:2.5.1'
This dependency has vulnerabilities:
GHSA-6phf-6h5g-97j2
https://ossindex.sonatype.org/vuln/CVE-2023-32697
https://ossindex.sonatype.org/vulnerability/CVE-2020-8908?component-type=maven&component-name=com.google.guava%2Fguava&utm_source=dependency-track&utm_medium=integration&utm_content=v4.11.6
GHSA-5mg8-w23w-74h3
https://ossindex.sonatype.org/vulnerability/CVE-2023-2976?component-type=maven&component-name=com.google.guava%2Fguava&utm_source=dependency-track&utm_medium=integration&utm_content=v4.11.6
Expected behavior:
Is there any plan to update the room-compiler version to fix vulnerabilities?
The text was updated successfully, but these errors were encountered: