Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(dependencies): remove org.quartz-scheduler:quartz #6257

Merged
merged 1 commit into from
Mar 24, 2025
Merged

feat(dependencies): remove org.quartz-scheduler:quartz #6257

merged 1 commit into from
Mar 24, 2025

Conversation

halibobo1205
Copy link
Contributor

What does this PR do?
Remove org.quartz-scheduler:quartz to avoid potential impacts CVE-2023-39017.

Tip

Tron does not use this scenario for now.

Why are these changes required?

quartz-jobs 2.3.2 and below was discovered to contain a code injection vulnerability in the component org.quartz.jobs.ee.jms.SendQueueMessageJob.execute. This vulnerability is exploited via passing an unchecked argument.

Important

this is disputed by multiple parties because it is not plausible that untrusted user input would reach the code location where injection must occur.

This PR has been tested by:

  • Unit Tests
  • Manual Testing

Follow up

Extra details

@CodeNinjaEvan CodeNinjaEvan merged commit 3e1ab7f into tronprotocol:release_v4.8.0 Mar 24, 2025
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@yuekun0707 yuekun0707 yuekun0707 approved these changes

@CodeNinjaEvan CodeNinjaEvan CodeNinjaEvan approved these changes

@xxo1shine xxo1shine xxo1shine approved these changes

@eodiandie eodiandie eodiandie approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@halibobo1205 @yuekun0707 @CodeNinjaEvan @xxo1shine @eodiandie