Menu

#1292 [Security] Transient dependencies of dependent library LanguageTool are vulnerable

6.1
open-fixed
Hiroshi Miura
security (2) dependency (2)
5
2025-07-05
2025-05-02
Hiroshi Miura
No

Transient dependencies of dependency langaugetool-core 6.1 have vulnerablity.

These are resolved in LT 6.4 but LT 6.4 has bug which break a build of downstream Gradle project.
https://github.com/languagetool-org/languagetool/issues/9850

CVEs Severity Component
CVE-2023-5072 High org.json:json 20220924
CVE-2022-45688 High org.json:json 20220924
CVE-2023-32732 High protobuf-java 1.50.2
CVE-2023-32731 High protobuf-java 1.50.2
CVE-2023-1428 High protobuf-java 1.50.2
CVE-2023-2976 High guava-jre 30.1
CVE-2020-8908 High guava-jre 30.1

Discussion

  • Hiroshi Miura

    Hiroshi Miura - 2025-05-02
    • Description has changed:

    Diff:

    --- old
+++ new
@@ -6,9 +6,12 @@

 CVEs | Severity |  Component
 ------ | ----- | -----
-CVE-2023-4586⁠ |   High |  io.netty/netty-handler 4.1.79.Final
-CVE-2023-34462⁠ |  Medium  | io.netty/netty-handler 4.1.79.Final
-CVE-2023-5072⁠ |   High  | org.json/json 20230227
-CVE-2023-44487⁠ |  High |  io.netty/netty-codec 4.1.79.Final
 CVE-2023-6378⁠     | High  | ch.qos.logback/logback-core 1.3.6
 CVE-2023-6378⁠     | High  | ch.qos.logback/logback-classic 1.3.6
+CVE-2023-5072 | org.json:json 20220924
+CVE-2022-45688 | org.json:json 20220924
+CVE-2023-32732 | protobuf-java 1.50.2
+CVE-2023-32731 | protobuf-java 1.50.2
+CVE-2023-1428 | protobuf-java 1.50.2
+CVE-2023-2976 | guava-jre 30.1
+CVE-2020-8908 | guava-jre 30.1
     

  • Hiroshi Miura

    Hiroshi Miura - 2025-05-02
    • Description has changed:

    Diff:

    --- old
+++ new
@@ -8,10 +8,10 @@
 ------ | ----- | -----
 CVE-2023-6378⁠     | High  | ch.qos.logback/logback-core 1.3.6
 CVE-2023-6378⁠     | High  | ch.qos.logback/logback-classic 1.3.6
-CVE-2023-5072 | org.json:json 20220924
-CVE-2022-45688 | org.json:json 20220924
-CVE-2023-32732 | protobuf-java 1.50.2
-CVE-2023-32731 | protobuf-java 1.50.2
-CVE-2023-1428 | protobuf-java 1.50.2
-CVE-2023-2976 | guava-jre 30.1
-CVE-2020-8908 | guava-jre 30.1
+CVE-2023-5072 | High | org.json:json 20220924
+CVE-2022-45688 | High | org.json:json 20220924
+CVE-2023-32732 | High | protobuf-java 1.50.2
+CVE-2023-32731 | High |protobuf-java 1.50.2
+CVE-2023-1428 | High | protobuf-java 1.50.2
+CVE-2023-2976 | High | guava-jre 30.1
+CVE-2020-8908 | High | guava-jre 30.1
     

  • Hiroshi Miura

    Hiroshi Miura - 2025-05-02
    • Description has changed:

    Diff:

    --- old
+++ new
@@ -6,8 +6,6 @@

 CVEs | Severity |  Component
 ------ | ----- | -----
-CVE-2023-6378⁠     | High  | ch.qos.logback/logback-core 1.3.6
-CVE-2023-6378⁠     | High  | ch.qos.logback/logback-classic 1.3.6
 CVE-2023-5072 | High | org.json:json 20220924
 CVE-2022-45688 | High | org.json:json 20220924
 CVE-2023-32732 | High | protobuf-java 1.50.2
     

  • Hiroshi Miura

    Hiroshi Miura - 2025-05-03
    • labels: --> security, dependency
    • summary: Transient dependencies of dependent library LanguageTool are vulnerable --> [Security] Transient dependencies of dependent library LanguageTool are vulnerable
     

  • Hiroshi Miura

    Hiroshi Miura - 2025-07-05
    • status: open --> open-fixed
     

  • Hiroshi Miura

    Hiroshi Miura - 2025-07-05

    We have worked on the issue at https://github.com/omegat-org/omegat/pull/1370 and have been merged in 6 May.

     

Log in to post a comment.