Skip to content

Commit 1ad6c8b

Browse files
roryproryp
committed
Override protobuf-java version in milvus-store to fix CVE-2024-7254
The milvus-sdk-java 2.5.8 depends on protobuf-java 3.24.0 which is vulnerable to CVE-2024-7254 (SNYK-JAVA-COMGOOGLEPROTOBUF-8055227) Stack-based Buffer Overflow. This fix adds a dependencyManagement section to override the transitive protobuf-java dependency to use version 3.25.8 (defined in parent pom as protobuf-java.version property) which contains the fix for this CVE.
1 parent 28891ab commit 1ad6c8b

File tree

1 file changed

+11
-0
lines changed
  • vector-stores/spring-ai-milvus-store

1 file changed

+11
-0
lines changed

vector-stores/spring-ai-milvus-store/pom.xml

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -41,6 +41,17 @@
4141
<maven.compiler.source>17</maven.compiler.source>
4242
</properties>
4343

44+
<!-- Override transitive protobuf-java to fix CVE-2024-7254 (SNYK-JAVA-COMGOOGLEPROTOBUF-8055227) -->
45+
<dependencyManagement>
46+
<dependencies>
47+
<dependency>
48+
<groupId>com.google.protobuf</groupId>
49+
<artifactId>protobuf-java</artifactId>
50+
<version>${protobuf-java.version}</version>
51+
</dependency>
52+
</dependencies>
53+
</dependencyManagement>
54+
4455
<dependencies>
4556
<dependency>
4657
<groupId>org.springframework.ai</groupId>

0 commit comments

Comments
 (0)