bugfix: 修复Apache Commons FileUpload安全漏洞(CVE-2023-24998) #1901

TencentBlueKing · Apr 4, 2023 · 312114b · 312114b
1 parent 08f26cb
commit 312114b
Show file tree

Hide file tree

Showing 8 changed files with 8 additions and 35 deletions.
diff --git a/src/backend/build.gradle b/src/backend/build.gradle
@@ -282,6 +282,14 @@ subprojects {
             dependency "com.beust:jcommander:$jcommanderVersion"
         }
     }
+    dependencies {
+        constraints {
+            implementation('commons-fileupload:commons-fileupload:1.5') {
+                because 'version 1.4 pulled from spring-cloud-starter-openfeign has vulnerabilities(CVE-2023-24998)'
+            }
+        }
+    }
+
     configurations {
         all*.exclude group: 'junit', module: 'junit'
         all*.exclude group: 'org.junit.vintage', module: 'junit-vintage-engine'

diff --git a/src/backend/commons/common-security/build.gradle b/src/backend/commons/common-security/build.gradle
@@ -27,11 +27,6 @@ dependencies {
     implementation 'io.jsonwebtoken:jjwt'
     implementation 'com.google.guava:guava'
     implementation 'org.springframework.cloud:spring-cloud-starter-openfeign'
-    constraints {
-        implementation('commons-fileupload:commons-fileupload:1.5') {
-            because 'version 1.4 pulled from spring-cloud-starter-openfeign has vulnerabilities(CVE-2023-24998)'
-        }
-    }
     implementation 'org.springframework:spring-context'
     api 'org.springframework.boot:spring-boot'
     api 'org.springframework.boot:spring-boot-autoconfigure'

diff --git a/src/backend/commons/common-service/build.gradle b/src/backend/commons/common-service/build.gradle
@@ -34,11 +34,6 @@ dependencies {
     api 'org.springframework.boot:spring-boot-starter-actuator'
     api 'org.springframework.boot:spring-boot-starter-logging'
     api 'org.springframework.cloud:spring-cloud-starter-openfeign'
-    constraints {
-        implementation('commons-fileupload:commons-fileupload:1.5') {
-            because 'version 1.4 pulled from spring-cloud-starter-openfeign has vulnerabilities(CVE-2023-24998)'
-        }
-    }
     api 'org.springframework.cloud:spring-cloud-starter-sleuth'
     if (k8s) {
         println("Compile with kubernetes mode")

diff --git a/src/backend/job-analysis/service-job-analysis/build.gradle b/src/backend/job-analysis/service-job-analysis/build.gradle
@@ -42,11 +42,6 @@ dependencies {
     implementation "org.springframework.boot:spring-boot-starter-jooq"
     implementation "org.springframework.cloud:spring-cloud-starter-sleuth"
     implementation "org.springframework.cloud:spring-cloud-starter-openfeign"
-    constraints {
-        implementation('commons-fileupload:commons-fileupload:1.5') {
-            because 'version 1.4 pulled from spring-cloud-starter-openfeign has vulnerabilities(CVE-2023-24998)'
-        }
-    }
     implementation "ch.qos.logback:logback-core"
     implementation "ch.qos.logback:logback-classic"
     implementation "org.slf4j:slf4j-api"

diff --git a/src/backend/job-crontab/service-job-crontab/build.gradle b/src/backend/job-crontab/service-job-crontab/build.gradle
@@ -39,11 +39,6 @@ dependencies {
     implementation "org.apache.commons:commons-collections4"
     api("org.springframework.cloud:spring-cloud-starter-sleuth")
     implementation('org.springframework.cloud:spring-cloud-starter-openfeign')
-    constraints {
-        implementation('commons-fileupload:commons-fileupload:1.5') {
-            because 'version 1.4 pulled from spring-cloud-starter-openfeign has vulnerabilities(CVE-2023-24998)'
-        }
-    }
     implementation "ch.qos.logback:logback-core"
     implementation "ch.qos.logback:logback-classic"
     implementation "org.slf4j:slf4j-api"

diff --git a/src/backend/job-execute/service-job-execute/build.gradle b/src/backend/job-execute/service-job-execute/build.gradle
@@ -41,11 +41,6 @@ dependencies {
     implementation "org.springframework.cloud:spring-cloud-stream"
     implementation "org.springframework.cloud:spring-cloud-starter-sleuth"
     implementation 'org.springframework.cloud:spring-cloud-starter-openfeign'
-    constraints {
-        implementation('commons-fileupload:commons-fileupload:1.5') {
-            because 'version 1.4 pulled from spring-cloud-starter-openfeign has vulnerabilities(CVE-2023-24998)'
-        }
-    }
     implementation 'org.springframework.boot:spring-boot-starter-amqp'
     implementation "ch.qos.logback:logback-core"
     implementation "ch.qos.logback:logback-classic"

diff --git a/src/backend/job-file-gateway/service-job-file-gateway/build.gradle b/src/backend/job-file-gateway/service-job-file-gateway/build.gradle
@@ -33,10 +33,5 @@ dependencies {
     implementation "org.springframework.boot:spring-boot-starter-web"
     implementation "org.springframework.cloud:spring-cloud-starter-sleuth"
     implementation('org.springframework.cloud:spring-cloud-starter-openfeign')
-    constraints {
-        implementation('commons-fileupload:commons-fileupload:1.5') {
-            because 'version 1.4 pulled from spring-cloud-starter-openfeign has vulnerabilities(CVE-2023-24998)'
-        }
-    }
     implementation 'org.apache.httpcomponents:httpclient'
 }
diff --git a/src/backend/job-manage/service-job-manage/build.gradle b/src/backend/job-manage/service-job-manage/build.gradle
@@ -43,11 +43,6 @@ dependencies {
     implementation "org.springframework.cloud:spring-cloud-stream"
     implementation "org.springframework.cloud:spring-cloud-starter-sleuth"
     implementation "org.springframework.cloud:spring-cloud-starter-openfeign"
-    constraints {
-        implementation('commons-fileupload:commons-fileupload:1.5') {
-            because 'version 1.4 pulled from spring-cloud-starter-openfeign has vulnerabilities(CVE-2023-24998)'
-        }
-    }
     implementation "ch.qos.logback:logback-core"
     implementation "ch.qos.logback:logback-classic"
     implementation "org.slf4j:slf4j-api"