logo

Database

Use of software with known vulnerabilities in environments

Need

Remediation of dependencies with known vulnerabilities in Maven

Context

• Usage of Maven for build automation and dependency management in Java and Kotlin projects

• Usage of Maven Central or other repositories for dependency resolution

Description

1. Non compliant code

<!-- pom.xml -->
<project>
  <dependencies>
    <dependency>
      <groupId>com.fasterxml.jackson.core</groupId>
      <artifactId>jackson-databind</artifactId>
      <version>2.13.0</version>
    </dependency>...

The pom.xml file below declares a dependency on jackson-databind 2.13.0, which contains a known deserialization vulnerability allowing remote code execution (CVE-2022-42003). Additionally, the project pulls in snakeyaml 1.33 transitively through spring-boot-starter-web, which is vulnerable to denial of service via crafted YAML input (CVE-2022-1471). Direct dependencies appear explicitly in pom.xml, while transitive dependencies are resolved by Maven and may not be immediately visible. Run mvn dependency:tree to inspect the full dependency tree.

2. Steps

• Run mvn dependency:tree or use a dependency scanning plugin to identify packages with known vulnerabilities

• Update vulnerable direct dependencies in pom.xml

• For transitive dependencies, update the parent package that pulls them in

• If updating the parent does not resolve the issue, add a dependencyManagement entry in pom.xml to force a safe version of the transitive dependency

• Run mvn verify and the test suite to confirm the fix

• If no safe version exists upstream, monitor the repository for a patch

3. Secure code example

<!-- pom.xml -->
<project>
  <dependencyManagement>
    <dependencies>
      <dependency>
        <groupId>org.yaml</groupId>
        <artifactId>snakeyaml</artifactId>
        <version>2.2</version>...

The fixed pom.xml updates jackson-databind to a patched version and adds a dependencyManagement entry to force a safe version of snakeyaml. The dependencyManagement section overrides the transitive version without requiring changes to the parent dependency declaration. After applying the changes, run mvn verify and the test suite to confirm compatibility. Use mvn dependency:tree to confirm the resolved versions match expectations.