CVE-2022-36944 - Scala vulnerability with 9.8 score

[crea1]

Hi 👋

Currently our dependency checks started failing on SwayDB due to the scala libraries related to this CVE https://nvd.nist.gov/vuln/detail/CVE-2022-36944

[ERROR] scala-library-2.13.8.jar: CVE-2022-36944(9.8)
[ERROR] scala-reflect-2.13.0.jar: CVE-2022-36944(9.8)

We are using

    <dependency>
      <groupId>io.swaydb</groupId>
      <artifactId>java_2.13</artifactId>
      <version>0.16.2</version>
    </dependency>

Seems that these are fixed in scala-library 2.13.9, latest being 2.13.10 as of writing.

Would be super nice to get patch on this.

Thank you for SwayDB ❤️

Kind regards,
Marius

[simerplaha]

Hey! Thank you for reporting this. This is something that should definitely be sorted out.

Just FYI, SwayDB's last release was 2 years ago and is over 400 commits behind new updates.

I have not been able to figure out how to continue SwayDB's development. Time being the biggest factor. So I'm not sure when this issue will be resolved.

Thanks heaps for reporting this.

[crea1]

Thank you for replying! I totally understand your situation. But at least now you are aware should you some day find the extra time.

Cheers!