From 7da7b7abf77203c5b882488899d28934bab5f923 Mon Sep 17 00:00:00 2001
From: Alexander F <eichelalex@gmail.com>
Date: Mon, 3 Jun 2024 10:05:54 +0200
Subject: [PATCH] fixing vulnerabilities
 CVE-2024-29857,CVE-2024-30171,CVE-2024-30172,CVE-2024-34447,CVE-2024-28752

---
 pom.xml | 33 +++++++++++++++++++++++++++++++++
 1 file changed, 33 insertions(+)

diff --git a/pom.xml b/pom.xml
index d4f9d46..8d338b3 100644
--- a/pom.xml
+++ b/pom.xml
@@ -85,6 +85,7 @@
         <dvalin.version>1.35</dvalin.version>
         <cloudconductor.api.version>3.9</cloudconductor.api.version>
         <aws.version>1.12.641</aws.version>
+        <cxf.version>3.5.8</cxf.version>
         <junit.version>5.10.1</junit.version>
         <jetty.version>9.4.53.v20231009</jetty.version>
     </properties>
@@ -139,6 +140,38 @@
             <artifactId>nimbus-jose-jwt</artifactId>
             <version>9.37.3</version>
         </dependency>
+        <!-- needed to fix CVE-2024-29857,CVE-2024-30171,CVE-2024-30172,CVE-2024-34447, remove after dvalin fixes this vulnerability-->
+        <dependency>
+            <groupId>org.bouncycastle</groupId>
+            <artifactId>bcprov-jdk18on</artifactId>
+            <version>1.78.1</version>
+        </dependency>
+        <!-- CXF: needed to fix CVE-2024-28752, can be removed when apache cxf dependency in dvalin is fixed -->
+        <dependency>
+            <groupId>org.apache.cxf</groupId>
+            <artifactId>cxf-core</artifactId>
+            <version>${cxf.version}</version>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.cxf</groupId>
+            <artifactId>cxf-rt-frontend-jaxrs</artifactId>
+            <version>${cxf.version}</version>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.cxf</groupId>
+            <artifactId>cxf-rt-transports-http-jetty</artifactId>
+            <version>${cxf.version}</version>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.cxf</groupId>
+            <artifactId>cxf-rt-rs-security-cors</artifactId>
+            <version>${cxf.version}</version>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.cxf</groupId>
+            <artifactId>cxf-rt-rs-client</artifactId>
+            <version>${cxf.version}</version>
+        </dependency>
         <!-- Database drivers -->
         <dependency>
             <groupId>org.postgresql</groupId>