CVE-2024-1597 exposure ? #2393
-
|
Hi everyone, A CVE on Postgres has been opened on the 19th February this year: https://nvd.nist.gov/vuln/detail/CVE-2024-1597 Depending on the source, actual used Postgres version in Apicurio is potentially exposed (though it depends on a specific configuration I did not see in the source code). For short, maven repository and sites like nvd.nist.gov say version 42.2.20 of the postgres JDBC driver is safe, official postgres JDBC repository says it's not (GHSA-24rp-q3w6-vc56). I tend to think there is no risk today (requires specific connection property and SQL statements), but I wonder if an upgrade to latest 42.2.28 version should not be done to solve the question once and for all (some automatic scan tools are raising warnings, even if may be false positives). |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment
-
|
I agree that we are not vulnerable to that CVE. We're moving Studio 0.2 into maintenance mode, so unless a CVE is actually identified as a problem we likely won't fix it. We're ramping up on Studio 1.0, where we will do a better job of keeping everything updated. Studio has languished for awhile, but that should change. |
Beta Was this translation helpful? Give feedback.
I agree that we are not vulnerable to that CVE. We're moving Studio 0.2 into maintenance mode, so unless a CVE is actually identified as a problem we likely won't fix it. We're ramping up on Studio 1.0, where we will do a better job of keeping everything updated. Studio has languished for awhile, but that should change.