logo

Database

Use of software with known vulnerabilities in environments

Need

Remediation of dependencies with known vulnerabilities in Maven for Kotlin projects

Context

• Usage of Maven or Gradle for dependency management in Kotlin projects

• Usage of Maven Central or other repositories for dependency resolution

Description

1. Non compliant code

<!-- pom.xml -->
<project>
  <dependencies>
    <dependency>
      <groupId>org.jetbrains.kotlin</groupId>
      <artifactId>kotlin-stdlib</artifactId>
      <version>1.6.10</version>
    </dependency>...

The pom.xml file below declares a dependency on kotlin-stdlib 1.6.10, which contains a known vulnerability (CVE-2022-24329) that allows attackers to alter classpaths. Additionally, the project pulls in jackson-databind 2.13.0 with a known deserialization vulnerability (CVE-2022-42003). Direct dependencies appear explicitly in pom.xml, while transitive dependencies are resolved by Maven and may not be immediately visible. Run mvn dependency:tree to inspect the full dependency tree.

2. Steps

• Run mvn dependency:tree or use a dependency scanning plugin to identify packages with known vulnerabilities

• Update vulnerable direct dependencies in pom.xml

• For transitive dependencies, update the parent package that pulls them in

• If updating the parent does not resolve the issue, add a dependencyManagement entry in pom.xml to force a safe version of the transitive dependency

• Run mvn verify and the test suite to confirm the fix

• If no safe version exists upstream, monitor the repository for a patch

3. Secure code example

<!-- pom.xml -->
<project>
  <dependencyManagement>
    <dependencies>
      <dependency>
        <groupId>com.fasterxml.jackson.core</groupId>
        <artifactId>jackson-databind</artifactId>
        <version>2.15.3</version>...

The fixed pom.xml updates kotlin-stdlib and jackson-module-kotlin to patched versions. A dependencyManagement entry forces a safe version of jackson-databind to resolve the transitive vulnerability. After applying the changes, run mvn verify and the test suite to confirm compatibility. Use mvn dependency:tree to confirm the resolved versions match expectations.