Skip to content

Commit cbdb20d

Browse files
fdevansfdevans
committed
RUN-3601: CVE-2025-48924 Fix
Mitigates CVE-2025-48924 by upgrading commons-lang to commons-lang3 3.18.0. - Added commons-lang3 3.18.0 dependency to libs.versions.toml - Configured dependency substitution to replace vulnerable commons-lang with secure commons-lang3 - Ensures all transitive dependencies use the secure version
1 parent 8bd0f5c commit cbdb20d

File tree

2 files changed

+15
-0
lines changed

2 files changed

+15
-0
lines changed

build.gradle

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -50,6 +50,9 @@ dependencies {
5050
}
5151
implementation libs.slf4jApi
5252

53+
// Add secure commons-lang3 to provide alternative to vulnerable commons-lang 2.6
54+
implementation(libs.commonsLang3)
55+
5356
pluginLibs(libs.awsSdkS3) {
5457
exclude group: "com.fasterxml.jackson.core"
5558
exclude group: "com.fasterxml.jackson.dataformat"
@@ -62,6 +65,15 @@ dependencies {
6265
testImplementation libs.bundles.testLibs
6366
}
6467

68+
configurations.all {
69+
resolutionStrategy {
70+
// Replace vulnerable commons-lang with secure commons-lang3
71+
dependencySubstitution {
72+
substitute module('commons-lang:commons-lang') using module("org.apache.commons:commons-lang3:${libs.versions.commonsLang3.get()}")
73+
}
74+
}
75+
}
76+
6577
task copyToLib(type: Copy) {
6678
into "$buildDir/output/lib"
6779
from configurations.pluginLibs

gradle/libs.versions.toml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,8 @@ cglib = "2.2.2"
99
byteBuddy = "1.14.12"
1010
objenesis = "1.4"
1111
slf4j = "1.7.30"
12+
# Security overrides for transitive dependencies
13+
commonsLang3 = "3.18.0"
1214

1315
[libraries]
1416
rundeckCore = { group = "org.rundeck", name = "rundeck-core", version.ref = "rundeckCore" }
@@ -20,6 +22,7 @@ cglibNodep = { group = "cglib", name = "cglib-nodep", version.ref = "cglib" }
2022
objenesis = { group = "org.objenesis", name = "objenesis", version.ref = "objenesis" }
2123
byteBuddy = { group = "net.bytebuddy", name = "byte-buddy", version.ref = "byteBuddy" }
2224
slf4jApi = { group = "org.slf4j", name = "slf4j-api", version.ref = "slf4j" }
25+
commonsLang3 = { module = "org.apache.commons:commons-lang3", version.ref = "commonsLang3" }
2326

2427
[bundles]
2528
testLibs = ["groovyAll", "spockCore", "cglibNodep", "objenesis", "byteBuddy"]

0 commit comments

Comments
 (0)