Based on NVD - CVE-2018-10936 the version of Postgresql Driver before 42.2.5 is vulnerable to a man in the middle attack.
The version imported by default by Cuba is ‘org.postgresql:postgresql:9.4.1212’.
The IDE might need to update it to be imune.
You can easily upgrade the driver version in your build.gradle script. The framework itself does not depend on it and does not have a transitive dependency on PostgreSQL driver.
Thanks for your fast reply (you’re working 24x7 )
I am aware I can change it myself (I did it already ), it is just that I do not know if there is an auto update from the IDE and/or if it wouldn’t make sense to update the version in the IDE.
While reviewing the versions I also found that the spring security 4.2.7 is a dependency of (at least) com.haulmont.cuba:cuba-rest-api. Spirng security has 2 CVE (Pivotal Software Spring Framework version 4.2.7 : Security vulnerabilities)
The cuba-rest also includes jackson-databing-2.9.6 (Fasterxml Jackson-databind : List of security vulnerabilities) and indirectly org.codehaus.jackson:jackson-mapper-asl:1.9.13 which both also has CVE reported
com.haulmont.yarg:yarg:2.0.17 also includes Jasper report 6.4.1 also has 2 CVE (Tibco Jasperreports Library version 6.4.1 : Security vulnerabilities)
batik dom 1.9 also has a few CVE (Apache Batik : List of security vulnerabilities) and is pulled indirectly from com.haulmont.yarg:yarg:2.0.17 and org.apache.xmlgraphics:fop:2.1 → 2.2 which pulls org.apache.xmlgraphics:batik-svg-dom:1.9
Maybe some CVE are not applicable?
thanks for pointing out! We’ve created issues and will update dependencies with the latest bugfix releases.
Thank you for your efficient follow up (as always)!
Have a great day!