Known Security Vulnerabilities to be fixed

[dicaeffe]

Hello,
version 9.0 (and uppers) of Pentaho and of Pentaho SAML plugin have few known CVEs (Common Vulnerabilities and Exposures) due to their dependencies.

Is possible to fix those security issues by updating the versions reported below?

Dependencies inherited from Pentaho

• Has been already requested a fix on Pentaho Platform side.
• Issue: 4788

Dependencies specific of Pentaho SAML Plugin

the version of dependencies reported below is overwritten by the plugin and needs to be fixed because doesn't inherit those of Pentaho Platform.

---

Apache Commons FileUpload

• CVE - 1 issue: CVE-2016-1000031
• Used Version: 1.3.2
• Fix Version: 1.3.3
• update requested on Pentaho: >1.4

karaf

• CVE - 7 issues: CVE-2020-11980, CVE-2019-0226, CVE-2019-0191, CVE-2018-11788, CVE-2018-11786, CVE-2016-8750, CVE-2014-0219
• Used Version: 3.0.3
• Fix Version: 4.2.9 (last minor: 4.2.10)
• update requested on Pentaho: >4.2.9

org.apache.xmlgraphics:batik-bridge

• CVE - 2 issues: CVE-2019-17566, CVE-2019-17566
• Used Version: 1.7
• Fix Version: 1.13
• update requested on Pentaho: >1.13

Spring Security

• CVE - 2 issues: CVE-2014-3527, CVE-2014-0097
• Used Version: 3.1.4.RELEASE
• Fix Version: 3.1.7.RELEASE
• update requested on Pentaho: >4.2.9.RELEASE

spring-framework

• CVE - 2 issues: CVE-2014-3625, CVE-2014-3578
• Used Version: 3.2.11.RELEASE
• Fix Version: 3.2.12.RELEASE (last minor: EOL 3.2.18.RELEASE)
• update requested on Pentaho: >4.3.22.RELEASE