CVE漏洞修复：涉及漏洞编号

CVE-2016-1000027
              CVE-2020-5408
              CVE-2023-33201
              CVE-2023-24998
              CVE-2023-6378
              CVE-2023-1454
              CVE-2023-33779
              CVE-2022-40929
              CVE-2022-41404
              CVE-2020-10683
              CVE-2020-24922
              CVE-2018-1000632
              CVE-2018-14335
              CVE-2017-10355
              CVE-2017-18197CVE-2022-1471
                            CVE-2023-38286
                            CVE-2016-1000027
                            CVE-2020-5408
                            CVE-2021-35515
                            CVE-2021-35516
                            CVE-2021-35517
                            CVE-2021-36090z
                            CVE-2022-25857
                            CVE-2022-38749
                            CVE-2022-38750
                            CVE-2022-38751
                            CVE-2022-38752
                            CVE-2022-41854
                            CVE-2023-33201
                            CVE-2023-24998
                            CVE-2023-6378
                            CVE-2023-1454
                            CVE-2023-33202
                            CVE-2023-33779
                            CVE-2023-42809
                            CVE-2023-43642
                            CVE-2022-26336
                            CVE-2022-40149
                            CVE-2022-40150
                            CVE-2022-40929
                            CVE-2022-41404
                            CVE-2022-45693
                            CVE-2022-45868
                            CVE-2020-10683
                            CVE-2020-24922
                            CVE-2018-1000632
                            CVE-2018-14335
                            CVE-2018-1000632
                            CVE-2017-18197
                            CVE-2023-51074

yudao-dependencies/pom.xml

@@ -83,6 +83,16 @@
         <jimureport.version>1.6.6</jimureport.version>
         <xercesImpl.version>2.12.2</xercesImpl.version>
         <weixin-java.version>4.6.0</weixin-java.version>
+        <!--安全漏洞cve修复-->
+        <thymeleaf.version>3.1.2.RELEASE</thymeleaf.version>
+        <snappy.version>1.1.10.5</snappy.version>
+        <poi.version>5.2.5</poi.version>
+        <autopoi.version>1.4.7</autopoi.version>
+        <jettison.version>1.5.3</jettison.version>
+        <jeecg.version>3.6.2</jeecg.version>
+        <bcpkix.version>1.77</bcpkix.version>
+        <snakeyaml.version>2.2</snakeyaml.version>
+        <commons-compress.verion>1.26.0</commons-compress.verion>
     </properties>
 
     <dependencyManagement>
@@ -108,8 +118,16 @@
                 <version>${spring.cloud.alibaba.version}</version>
                 <type>pom</type>
                 <scope>import</scope>
+                <exclusions>
+                    <exclusion>
+                        <artifactId>snakeyaml</artifactId>
+                        <groupId>org.yaml</groupId>
+                    </exclusion>
+                </exclusions>
             </dependency>
 
+
+
             <!-- 业务组件 -->
             <dependency>
                 <groupId>cn.iocoder.cloud</groupId>
@@ -367,11 +385,84 @@
                 <artifactId>spring-boot-admin-starter-server</artifactId> <!-- 实现 Spring Boot Admin Server 服务端 -->
                 <version>${spring-boot-admin.version}</version>
             </dependency>
+            <!--CVE-2023-38286漏洞修复-->
+            <dependency>
+                <groupId>org.thymeleaf</groupId>
+                <artifactId>thymeleaf</artifactId>
+                <version>${thymeleaf.version}</version>
+            </dependency>
             <dependency>
                 <groupId>de.codecentric</groupId>
                 <artifactId>spring-boot-admin-starter-client</artifactId> <!-- 实现 Spring Boot Admin Server 服务端 -->
                 <version>${spring-boot-admin.version}</version>
             </dependency>
+            <!--安全漏洞CVE修复-->
+
+            <!--CVE-2023-42809 漏洞修复-->
+            <dependency>
+                <groupId>org.xerial.snappy</groupId>
+                <artifactId>snappy-java</artifactId>
+                <version>${snappy.version}</version>
+            </dependency>
+            <!--CVE-2022-26336 漏洞修复 待明确-->
+            <dependency>
+                <groupId>org.apache.poi</groupId>
+                <artifactId>poi-scratchpad</artifactId>
+                <version>${poi.version}</version>
+            </dependency>
+            <dependency>
+                <groupId>org.jeecgframework</groupId>
+                <artifactId>autopoi-parent</artifactId>
+                <version>${autopoi.version}</version>
+                <exclusions>
+                    <exclusion>
+                        <groupId>org.apache.poi</groupId>
+                        <artifactId>poi-scratchpad</artifactId>
+                    </exclusion>
+                </exclusions>
+            </dependency>
+
+            <!--CVE-2022-40149 漏洞修复 待明确-->
+            <dependency>
+                <groupId>org.codehaus.jettison</groupId>
+                <artifactId>jettison</artifactId>
+                <version>${jettison.version}</version>
+
+            </dependency>
+            <!--CVE-2023-1454 漏洞修复 待明确-->
+            <dependency>
+                <groupId>org.jeecgframework.boot</groupId>
+                <artifactId>jeecg-boot-common</artifactId>
+                <version>${jeecg.version}</version>
+                <type>pom</type>
+                <scope>import</scope>
+            </dependency>
+            <!--CVE 2023 33202漏洞修复不明确-->
+            <dependency>
+                <groupId>org.bouncycastle</groupId>
+                <artifactId>bcpkix-jdk18on</artifactId>
+                <version>${bcpkix.version}</version>
+            </dependency>
+            <dependency>
+                <groupId>com.h2database</groupId> <!-- 单元测试，我们采用 H2 作为数据库 -->
+                <artifactId>h2</artifactId>
+                <version>2.2.222</version>
+            </dependency>
+
+            <dependency>
+                <groupId>com.jayway.jsonpath</groupId>
+                <artifactId>json-path</artifactId>
+                <version>2.9.0</version>
+            </dependency>
+
+            <!--CVE-2023-24998漏洞修复 -->
+            <dependency>
+                <groupId>commons-fileupload</groupId>
+                <artifactId>commons-fileupload</artifactId>
+                <version>1.5</version>
+            </dependency>
+
+
 
             <!-- Test 测试相关 -->
             <dependency>
@@ -474,7 +565,11 @@
                 <artifactId>easyexcel</artifactId>
                 <version>${easyexcel.verion}</version>
             </dependency>
-
+            <dependency>
+                <groupId>org.apache.commons</groupId>
+                <artifactId>commons-compress</artifactId>
+                <version>${commons-compress.verion}</version>
+            </dependency>
             <dependency>
                 <groupId>commons-io</groupId>
                 <artifactId>commons-io</artifactId>
@@ -658,7 +753,14 @@
                 <artifactId>xercesImpl</artifactId>
                 <version>${xercesImpl.version}</version>
             </dependency>
+            <!--CVE-2022-38752 漏洞修复-->
+            <dependency>
+                <groupId>org.yaml</groupId>
+                <artifactId>snakeyaml</artifactId>
+                <version>${snakeyaml.version}</version>
 
+                <scope>compile</scope>
+            </dependency>
         </dependencies>
     </dependencyManagement>
 

yudao-framework/yudao-spring-boot-starter-env/pom.xml

@@ -33,8 +33,34 @@
         <dependency>
             <groupId>org.springframework.boot</groupId>
             <artifactId>spring-boot-starter</artifactId>
+            <exclusions>
+                <exclusion>
+                    <groupId>org.yaml</groupId>
+                    <artifactId>snakeyaml</artifactId>
+                </exclusion>
+                <exclusion>
+                    <artifactId>logback-classic</artifactId>
+                    <groupId>ch.qos.logback</groupId>
+                </exclusion>
+            </exclusions>
+        </dependency>
+        <!--CVE-2022-38752 漏洞修复-->
+        <dependency>
+            <groupId>org.yaml</groupId>
+            <artifactId>snakeyaml</artifactId>
+            <scope>compile</scope>
         </dependency>
 
+        <dependency>
+            <groupId>ch.qos.logback</groupId>
+            <artifactId>logback-classic</artifactId>
+            <version>1.4.14</version>
+        </dependency>
+        <dependency>
+            <groupId>ch.qos.logback</groupId>
+            <artifactId>logback-core</artifactId>
+            <version>1.4.14</version>
+        </dependency>
         <!-- Web 相关 -->
         <dependency>
             <groupId>org.springframework</groupId>
@@ -50,7 +76,19 @@
         <dependency>
             <groupId>org.springframework.cloud</groupId>
             <artifactId>spring-cloud-loadbalancer</artifactId>
+            <exclusions>
+                <exclusion>
+                    <artifactId>bcpkix-jdk15on</artifactId>
+                    <groupId>org.bouncycastle</groupId>
+                </exclusion>
+            </exclusions>
         </dependency>
+        <!--CVE-2023-33201 CVE-2023-33202 漏洞修复-->
+        <dependency>
+            <groupId>org.bouncycastle</groupId>
+            <artifactId>bcpkix-jdk18on</artifactId>
+        </dependency>
+
         <dependency>
             <groupId>io.github.openfeign</groupId>
             <artifactId>feign-core</artifactId>

yudao-framework/yudao-spring-boot-starter-rpc/pom.xml

@@ -27,6 +27,17 @@
         <dependency>
             <groupId>org.springframework.cloud</groupId>
             <artifactId>spring-cloud-starter-loadbalancer</artifactId>
+            <exclusions>
+                <exclusion>
+                    <artifactId>bcpkix-jdk15on</artifactId>
+                    <groupId>org.bouncycastle</groupId>
+                </exclusion>
+            </exclusions>
+        </dependency>
+        <!--CVE-2023-33201 CVE-2023-33202 漏洞修复-->
+        <dependency>
+            <groupId>org.bouncycastle</groupId>
+            <artifactId>bcpkix-jdk18on</artifactId>
         </dependency>
         <dependency>
             <groupId>org.springframework.cloud</groupId>

yudao-framework/yudao-spring-boot-starter-web/pom.xml

@@ -44,6 +44,11 @@
             <artifactId>spring-security-core</artifactId>
             <scope>provided</scope> <!-- 设置为 provided，主要是 GlobalExceptionHandler 使用 -->
         </dependency>
+        <dependency>
+            <groupId>org.springframework.security</groupId>
+            <artifactId>spring-security-crypto</artifactId>
+            <version>6.2.1</version>
+        </dependency>
 
         <dependency>
             <groupId>com.github.xiaoymin</groupId> <!-- 接口文档 -->

yudao-module-report/yudao-module-report-biz/pom.xml

@@ -109,6 +109,12 @@
             <groupId>org.jeecgframework.jimureport</groupId>
             <artifactId>jimureport-spring-boot-starter</artifactId>
         </dependency>
+        <!--CVE-2022-40150漏洞修复-->
+        <dependency>
+            <groupId>org.codehaus.jettison</groupId>
+            <artifactId>jettison</artifactId>
+            <version>1.5.4</version>
+        </dependency>
         <!-- 单独依赖升级版本，解决低版本validator失败问题 -->
         <dependency>
             <groupId>xerces</groupId>