spring-cloud-openfeign-core transitively depends on commons-io with CVE-2024-47554

Question

spring-cloud-openfeign-core transitively depends on commons-io with CVE-2024-47554

DidierLoiseau opened this issue 3 months ago · 7 comments

Describe the bug
spring-cloud-openfeign-core depends on commons-fileupload:1.5 which in turn depends on commons-io:2.11 which suffers from CVE-2024-47554. It would be nice to upgrade it for the next release so that end-users don’t have to force the version of commons-io.

Note that Gary D. Gregory indicated in FILEUPLOAD-357 that a release of commons-fileupload:1.6 is already planned with an upgrade commons-io, so you may want to just wait for it.

On the other hand, commons-fileupload seems to be needed only for feign-forms-spring, so maybe both should be made optional? BTW it seems that feign-forms-spring was merged into the main feign project, so it will be relocated in its next release (change of groupId and alignment on version number).

Answer 1 · 2024-10-11T11:31:20.000Z

Hello, @DidierLoiseau, thanks for reporting the issue. https://github.com/OpenFeign/feign-form?tab=readme-ov-file#form-encoder is a separte project, not maintained by our team, and there is no higher version of that project that we could upgrade to. Please create an issue there and link it here so that we can track it and upgrade as soon as it's fixed in the downstream project.

Answer 2 · 2024-10-11T21:18:31.000Z

Thansk @OlgaMaciaszek for your answer. spring-cloud-openfeign-core actually has an exclusion and an explicit dependency on commons-fileupload, so currently the dependency is maintained here.

I agree that things will be easier when they release a new version with an updated commons-io/commons-fileupload though, but you will have to deal with the relocation as well then – I just created #1102 for that.

Answer 3 · 2024-10-14T14:34:39.000Z

Right @DidierLoiseau; waiting for commons-fileupload 1.6 then.

Answer 4 · 2024-10-14T14:39:19.000Z

Will not be handling it directly anymore after #1103 gets merged.

Answer 5 · 2024-12-09T10:19:55.000Z

@DidierLoiseau, @OlgaMaciaszek - what's interesting is commons-fileupload team's work on the version 2.X https://dist.apache.org/repos/dist/release/commons/fileupload/RELEASE-NOTES.txt which is under a different group and artifact ID:

  <groupId>org.apache.commons</groupId>
  <artifactId>commons-fileupload2</artifactId>

Given the rare release cycle for 1.X https://github.com/apache/commons-fileupload/tags, I think 1.6 might not come so soon if at all.

Answer 6 · 2024-12-09T10:49:00.000Z

@jurgis-sipols the dependency has already been upgraded in the 1.x branch (even before I created FILEUPLOAD-357, actually), so all it needs is to be released…

There is activity on both the main and 1.x branches, so it’s not like if either branch was abandoned, but maybe they still have some remaining tasks/goals for 1.6 – which I don’t find in Jira though.

Answer 7 · 2024-12-09T13:07:27.000Z

Hi @jurgis-sipols, thanks for linking this. Once it's been released as a GA, we can switch to it, but we'd usually switch dependencies for different majors only on new release lines. If you stay on top of it and see a GA's been released, feel free to submit the PR with the swap to the main branch.