2.0.16 Fixed vulnerabilities in six dependencies

This release fixes the following vulnerabilities:

• CVE-2025-68161 in org.apache.logging.log4j:log4j-core:jar:2.20.0:provided
• CVE-2025-46295 in org.apache.commons:commons-text:jar:1.10.0:provided
• CVE-2025-67735 in io.netty:netty-codec-http:jar:4.2.7.Final:provided
• CVE-2025-66566 in org.lz4:lz4-java:jar:1.8.0:provided
• CVE-2025-12183 in org.lz4:lz4-java:jar:1.8.0:provided
• CVE-2025-12383 in org.glassfish.jersey.core:jersey-client:jar:2.40:provided

Security

• #79: Fixed CVE-2025-68161 in org.apache.logging.log4j:log4j-core:jar:2.20.0:provided
• #78: Fixed CVE-2025-46295 in org.apache.commons:commons-text:jar:1.10.0:provided
• #77: Fixed CVE-2025-67735 in io.netty:netty-codec-http:jar:4.2.7.Final:provided
• #76: Fixed CVE-2025-66566 in org.lz4:lz4-java:jar:1.8.0:provided
• #75: Fixed CVE-2025-12183 in org.lz4:lz4-java:jar:1.8.0:provided
• #74: Fixed CVE-2025-12383 in org.glassfish.jersey.core:jersey-client:jar:2.40:provided

Dependency Updates

Compile Dependency Updates

• Added at.yawk.lz4:lz4-java:1.10.2
• Updated com.exasol:exasol-jdbc:24.2.1 to 25.2.5

Test Dependency Updates

• Updated com.exasol:exasol-testcontainers:7.1.4 to 7.2.2
• Updated com.exasol:hamcrest-resultset-matcher:1.7.0 to 1.7.2
• Updated com.exasol:java-util-logging-testing:2.0.3 to 2.0.4
• Updated com.exasol:test-db-builder-java:3.6.0 to 3.6.4
• Updated nl.jqno.equalsverifier:equalsverifier:3.19 to 3.19.4
• Updated org.junit.jupiter:junit-jupiter-api:5.11.4 to 5.14.1
• Updated org.junit.jupiter:junit-jupiter:5.11.4 to 5.14.1
• Updated org.mockito:mockito-core:5.15.2 to 5.21.0
• Updated org.mockito:mockito-junit-jupiter:5.15.2 to 5.21.0
• Removed org.testcontainers:junit-jupiter:1.20.4
• Added org.testcontainers:testcontainers-junit-jupiter:2.0.3

Plugin Dependency Updates

• Updated com.exasol:project-keeper-maven-plugin:5.4.3 to 5.4.4
• Updated org.apache.maven.plugins:maven-resources-plugin:3.3.1 to 3.4.0
• Updated org.codehaus.mojo:versions-maven-plugin:2.19.1 to 2.20.1
• Updated org.sonarsource.scanner.maven:sonar-maven-plugin:5.2.0.4988 to 5.5.0.6356

2.0.15 Fixing CVEs in Netty

This release upgrades transitive dependencies to fix CVEs in the Netty library.

Security

• #68: CVE-2025-58057: io.netty:netty-codec:jar:4.1.124.Final:provided
• #70: CVE-2025-58056: io.netty:netty-codec-http:jar:4.1.124.Final:provided
• CVE-2025-58457 CWE-280: Improper Handling of Insufficient Permissions or Privileges in org.apache.zookeeper:zookeeper:jar:3.9.3:provided

Dependency Updates

Plugin Dependency Updates

• Updated com.exasol:error-code-crawler-maven-plugin:2.0.4 to 2.0.5
• Updated com.exasol:project-keeper-maven-plugin:5.2.3 to 5.4.3
• Updated com.exasol:quality-summarizer-maven-plugin:0.2.0 to 0.2.1
• Updated io.github.git-commit-id:git-commit-id-maven-plugin:9.0.1 to 9.0.2
• Updated org.apache.maven.plugins:maven-artifact-plugin:3.6.0 to 3.6.1
• Updated org.apache.maven.plugins:maven-clean-plugin:3.4.1 to 3.5.0
• Updated org.apache.maven.plugins:maven-compiler-plugin:3.14.0 to 3.14.1
• Updated org.apache.maven.plugins:maven-enforcer-plugin:3.5.0 to 3.6.2
• Updated org.apache.maven.plugins:maven-failsafe-plugin:3.5.3 to 3.5.4
• Updated org.apache.maven.plugins:maven-gpg-plugin:3.2.7 to 3.2.8
• Updated org.apache.maven.plugins:maven-javadoc-plugin:3.11.2 to 3.12.0
• Updated org.apache.maven.plugins:maven-surefire-plugin:3.5.3 to 3.5.4
• Updated org.codehaus.mojo:flatten-maven-plugin:1.7.0 to 1.7.3
• Updated org.codehaus.mojo:versions-maven-plugin:2.18.0 to 2.19.1
• Updated org.jacoco:jacoco-maven-plugin:0.8.13 to 0.8.14
• Updated org.sonarsource.scanner.maven:sonar-maven-plugin:5.1.0.4751 to 5.2.0.4988
• Updated org.sonatype.central:central-publishing-maven-plugin:0.7.0 to 0.9.0

2.0.14 Fixes for vulnerability CVE-2025-55163

This release fixes the following vulnerability:

CVE-2025-55163 (CWE-770) in dependency io.netty:netty-codec-http2:jar:4.1.118.Final:provided

Netty is an asynchronous, event-driven network application framework. Prior to versions 4.1.124.Final and 4.2.4.Final, Netty is vulnerable to MadeYouReset DDoS. This is a logical vulnerability in the HTTP/2 protocol, that uses malformed HTTP/2 control frames in order to break the max concurrent streams limit - which results in resource exhaustion and distributed denial of service. This issue has been patched in versions 4.1.124.Final and 4.2.4.Final.

CVE: CVE-2025-55163
CWE: CWE-770

References

• https://ossindex.sonatype.org/vulnerability/CVE-2025-55163?component-type=maven&component-name=io.netty%2Fnetty-codec-http2&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
• http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2025-55163
• GHSA-prj3-ccx8-p6x4

Security

• #65: Fixed vulnerability CVE-2025-55163 in dependency io.netty:netty-codec-http2:jar:4.1.118.Final:provided

2.0.13 Fixes for vulnerabilities CVE-2025-48924 and CVE-2025-53864

This release fixes the following vulnerabilities:

CVE-2025-53864 (CWE-121) in dependency com.google.code.gson:gson:jar:2.10.1:provided

github.com/sigstore/sigstore-java (gson) - Stack-based Buffer Overflow [CVE-2025-53864]

A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function).

CVE: CVE-2025-53864
CWE: CWE-121

References

• https://ossindex.sonatype.org/vulnerability/CVE-2025-53864?component-type=maven&component-name=com.google.code.gson%2Fgson&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
• https://issues.oss-fuzz.com/issues/384541935

CVE-2025-48924 (CWE-674) in dependency org.apache.commons:commons-lang3:jar:3.17.0:test

Uncontrolled Recursion vulnerability in Apache Commons Lang.

This issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0.

The methods ClassUtils.getClass(...) can throw StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a
StackOverflowError could cause an application to stop.

Users are recommended to upgrade to version 3.18.0, which fixes the issue.

CVE: CVE-2025-48924
CWE: CWE-674

References

• https://ossindex.sonatype.org/vulnerability/CVE-2025-48924?component-type=maven&component-name=org.apache.commons%2Fcommons-lang3&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
• http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2025-48924
• GHSA-j288-q9x7-2f5v

Security

• #63: Fixed vulnerability CVE-2025-53864 in dependency com.google.code.gson:gson:jar:2.10.1:provided
• #62: Fixed vulnerability CVE-2025-48924 in dependency org.apache.commons:commons-lang3:jar:3.17.0:test

Dependency Updates

Test Dependency Updates

• Removed org.apache.commons:commons-lang3:3.17.0

Plugin Dependency Updates

• Updated com.exasol:error-code-crawler-maven-plugin:2.0.3 to 2.0.4
• Updated com.exasol:project-keeper-maven-plugin:5.2.2 to 5.2.3

2.0.12 Fixed vulnerabilities

This release fixes the following vulnerabilities:

CVE-2025-47436 (CWE-122) in dependency org.apache.orc:orc-core:jar:shaded-protobuf:1.9.4:provided

Heap-based Buffer Overflow vulnerability in Apache ORC.

A vulnerability has been identified in the ORC C++ LZO decompression logic, where specially crafted malformed ORC files can cause the decompressor to allocate a 250-byte buffer but then attempts to copy 295 bytes into it. It causes memory corruption.

This issue affects Apache ORC C++ library: through 1.8.8, from 1.9.0 through 1.9.5, from 2.0.0 through 2.0.4, from 2.1.0 through 2.1.1.

Users are recommended to upgrade to version 1.8.9, 1.9.6, 2.0.5, and 2.1.2, which fix the issue.

CVE-2024-55551 (CWE-94) in dependency com.exasol:exasol-jdbc:jar:24.2.1:compile

An issue was discovered in Exasol jdbc driver 24.2.0. Attackers can inject malicious parameters into the JDBC URL, triggering JNDI injection during the process when the JDBC Driver uses this URL to connect to the database. This can further lead to remote code execution vulnerability.

References

• https://ossindex.sonatype.org/vulnerability/CVE-2024-55551?component-type=maven&component-name=com.exasol%2Fexasol-jdbc&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
• http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-55551
• https://gist.github.com/azraelxuemo/9565ec9219e0c3e9afd5474904c39d0f

Security

• #58: Fixed vulnerability CVE-2025-47436 in dependency org.apache.orc:orc-core:jar:shaded-protobuf:1.9.4:provided
• #56: Fixed vulnerability CVE-2024-55551 in dependency com.exasol:exasol-jdbc:jar:24.2.1:compile

Dependency Updates

Test Dependency Updates

• Updated com.exasol:exasol-testcontainers:7.1.3 to 7.1.4

Plugin Dependency Updates

• Updated com.exasol:project-keeper-maven-plugin:4.5.0 to 5.2.2
• Added io.github.git-commit-id:git-commit-id-maven-plugin:9.0.1
• Removed io.github.zlika:reproducible-build-maven-plugin:0.17
• Added org.apache.maven.plugins:maven-artifact-plugin:3.6.0
• Updated org.apache.maven.plugins:maven-clean-plugin:3.4.0 to 3.4.1
• Updated org.apache.maven.plugins:maven-compiler-plugin:3.13.0 to 3.14.0
• Updated org.apache.maven.plugins:maven-deploy-plugin:3.1.3 to 3.1.4
• Updated org.apache.maven.plugins:maven-failsafe-plugin:3.5.2 to 3.5.3
• Updated org.apache.maven.plugins:maven-install-plugin:3.1.3 to 3.1.4
• Updated org.apache.maven.plugins:maven-javadoc-plugin:3.11.1 to 3.11.2
• Updated org.apache.maven.plugins:maven-surefire-plugin:3.5.2 to 3.5.3
• Updated org.codehaus.mojo:flatten-maven-plugin:1.6.0 to 1.7.0
• Updated org.jacoco:jacoco-maven-plugin:0.8.12 to 0.8.13
• Updated org.sonarsource.scanner.maven:sonar-maven-plugin:5.0.0.4389 to 5.1.0.4751
• Added org.sonatype.central:central-publishing-maven-plugin:0.7.0
• Removed org.sonatype.plugins:nexus-staging-maven-plugin:1.7.0

2.0.11 Fixed CVE-2025-24970 and CVE-2025-25193

This update fixes CVE-2025-24970 and CVE-2025-25193 in transitive netty dependency.
It also updates other dependencies.

Security

• #52: Fixed CVE-2025-25193
• #53: Fixed CVE-2025-24970

Dependency Updates

Compile Dependency Updates

• Updated com.exasol:exasol-jdbc:24.2.0 to 24.2.1

Test Dependency Updates

• Updated com.exasol:exasol-testcontainers:7.1.1 to 7.1.3
• Removed com.fasterxml.jackson.core:jackson-core:2.18.1
• Updated nl.jqno.equalsverifier:equalsverifier:3.17.3 to 3.19
• Updated org.junit.jupiter:junit-jupiter-api:5.11.3 to 5.11.4
• Updated org.junit.jupiter:junit-jupiter:5.11.3 to 5.11.4
• Updated org.mockito:mockito-core:5.14.2 to 5.15.2
• Updated org.mockito:mockito-junit-jupiter:5.14.2 to 5.15.2
• Updated org.testcontainers:junit-jupiter:1.20.3 to 1.20.4

Plugin Dependency Updates

• Updated com.exasol:project-keeper-maven-plugin:4.4.0 to 4.5.0
• Updated org.apache.maven.plugins:maven-deploy-plugin:3.1.2 to 3.1.3
• Updated org.apache.maven.plugins:maven-failsafe-plugin:3.5.1 to 3.5.2
• Updated org.apache.maven.plugins:maven-javadoc-plugin:3.10.1 to 3.11.1
• Updated org.apache.maven.plugins:maven-site-plugin:3.9.1 to 3.21.0
• Updated org.apache.maven.plugins:maven-surefire-plugin:3.5.1 to 3.5.2
• Updated org.codehaus.mojo:versions-maven-plugin:2.17.1 to 2.18.0
• Updated org.sonarsource.scanner.maven:sonar-maven-plugin:4.0.0.4121 to 5.0.0.4389

2.0.10 Fixed vulnerabilities CVE-2024-47535 and CVE-2024-51504

This release fixes the following vulnerabilities:

CVE-2024-47535 (CWE-400) in dependency io.netty:netty-common:jar:4.1.114.Final:provided

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application, Netty attempts to load a file that does not exist. If an attacker creates such a large file, the Netty application crashes. This vulnerability is fixed in 4.1.115.

References

• https://ossindex.sonatype.org/vulnerability/CVE-2024-47535?component-type=maven&component-name=io.netty%2Fnetty-common&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
• http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-47535
• GHSA-xq3w-v528-46rv

CVE-2024-51504 (CWE-290) in dependency org.apache.zookeeper:zookeeper:jar:3.9.2:provided

When using IPAuthenticationProvider in ZooKeeper Admin Server there is a possibility of Authentication Bypass by Spoofing -- this only impacts IP based authentication implemented in ZooKeeper Admin Server. Default configuration of client's IP address detection in IPAuthenticationProvider, which uses HTTP request headers, is weak and allows an attacker to bypass authentication via spoofing client's IP address in request headers. Default configuration honors X-Forwarded-For HTTP header to read client's IP address. X-Forwarded-For request header is mainly used by proxy servers to identify the client and can be easily spoofed by an attacker pretending that the request comes from a different IP address. Admin Server commands, such as snapshot and restore arbitrarily can be executed on successful exploitation which could potentially lead to information leakage or service availability issues. Users are recommended to upgrade to version 3.9.3, which fixes this issue.

References

• https://ossindex.sonatype.org/vulnerability/CVE-2024-51504?component-type=maven&component-name=org.apache.zookeeper%2Fzookeeper&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
• http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-51504
• https://lists.apache.org/thread/b3qrmpkto5r6989qr61fw9y2x646kqlh

Security

• #50: Fixed vulnerability CVE-2024-47535 in dependency io.netty:netty-common:jar:4.1.114.Final:provided
• #48: Fixed vulnerability CVE-2024-51504 in dependency org.apache.zookeeper:zookeeper:jar:3.9.2:provided

Dependency Updates

Compile Dependency Updates

• Updated com.exasol:exasol-jdbc:24.1.2 to 24.2.0

Test Dependency Updates

• Updated com.fasterxml.jackson.core:jackson-core:2.18.0 to 2.18.1
• Updated nl.jqno.equalsverifier:equalsverifier:3.17.1 to 3.17.3
• Added org.apache.commons:commons-lang3:3.17.0
• Updated org.junit.jupiter:junit-jupiter-api:5.11.2 to 5.11.3
• Updated org.junit.jupiter:junit-jupiter:5.11.2 to 5.11.3
• Updated org.testcontainers:junit-jupiter:1.20.2 to 1.20.3

Plugin Dependency Updates

• Updated com.exasol:project-keeper-maven-plugin:4.3.3 to 4.4.0
• Added com.exasol:quality-summarizer-maven-plugin:0.2.0
• Updated io.github.zlika:reproducible-build-maven-plugin:0.16 to 0.17
• Updated org.apache.maven.plugins:maven-clean-plugin:2.5 to 3.4.0
• Updated org.apache.maven.plugins:maven-failsafe-plugin:3.2.5 to 3.5.1
• Updated org.apache.maven.plugins:maven-gpg-plugin:3.2.4 to 3.2.7
• Updated org.apache.maven.plugins:maven-install-plugin:2.4 to 3.1.3
• Updated org.apache.maven.plugins:maven-javadoc-plugin:3.7.0 to 3.10.1
• Updated org.apache.maven.plugins:maven-resources-plugin:2.6 to 3.3.1
• Updated org.apache.maven.plugins:maven-site-plugin:3.3 to 3.9.1
• Updated org.apache.maven.plugins:maven-surefire-plugin:3.2.5 to 3.5.1
• Updated org.codehaus.mojo:versions-maven-plugin:2.16.2 to 2.17.1

2.0.9 Fixed vulnerability CVE-2024-47561 in org.apache.avro:avro:jar:1.11.3:provided, upgrade dependencies

This release upgrades current dependencies and fixes the following vulnerability:

CVE-2024-47561 (CWE-502) in dependency org.apache.avro:avro:jar:1.11.3:provided

Schema parsing in the Java SDK of Apache Avro 1.11.3 and previous versions allows bad actors to execute arbitrary code.
Users are recommended to upgrade to version 1.11.4 or 1.12.0, which fix this issue.

References

• https://ossindex.sonatype.org/vulnerability/CVE-2024-47561?component-type=maven&component-name=org.apache.avro%2Favro&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
• http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-47561
• https://lists.apache.org/thread/c2v7mhqnmq0jmbwxqq3r5jbj1xg43h5x

Security

• #44: CVE-2024-47561: org.apache.avro:avro:jar:1.11.3:provided

Dependency Updates

Compile Dependency Updates

• Updated com.exasol:exasol-jdbc:24.1.0 to 24.1.2

Test Dependency Updates

• Updated com.exasol:exasol-testcontainers:7.1.0 to 7.1.1
• Updated com.exasol:hamcrest-resultset-matcher:1.6.5 to 1.7.0
• Updated com.exasol:test-db-builder-java:3.5.4 to 3.6.0
• Updated com.fasterxml.jackson.core:jackson-core:2.17.1 to 2.18.0
• Updated nl.jqno.equalsverifier:equalsverifier:3.16.1 to 3.17.1
• Updated org.hamcrest:hamcrest:2.2 to 3.0
• Updated org.junit.jupiter:junit-jupiter-api:5.10.2 to 5.11.2
• Updated org.junit.jupiter:junit-jupiter:5.10.2 to 5.11.2
• Updated org.mockito:mockito-core:5.12.0 to 5.14.2
• Updated org.mockito:mockito-junit-jupiter:5.12.0 to 5.14.2
• Updated org.testcontainers:junit-jupiter:1.19.8 to 1.20.2

2.0.8 Fixed vulnerability CVE-2024-7254 in com.google.protobuf:protobuf-java:jar:3.19.6:provided

This release fixes vulnerability CVE-2024-7254 in com.google.protobuf:protobuf-java:jar:3.19.6:provided which could lead to unbounded recursion.

Security

• #41: CVE-2024-7254: com.google.protobuf:protobuf-java:jar:3.19.6:provided

Dependency Updates

Compile Dependency Updates

• Removed io.netty:netty-all:4.1.111.Final
• Removed joda-time:joda-time:2.12.7
• Removed org.apache.avro:avro:1.11.3
• Removed org.apache.commons:commons-compress:1.26.2
• Removed org.apache.ivy:ivy:2.5.2
• Removed org.apache.zookeeper:zookeeper:3.9.2
• Removed org.codehaus.janino:janino:3.1.12
• Removed org.xerial.snappy:snappy-java:1.1.10.5

2.0.7 Test with Exasol v8

This release verifies that this project works with Exasol v8 by running integration tests with the latest Exasol Docker DB version.

Features

• #34: Added integration tests with Exasol v8

Dependency Updates

Compile Dependency Updates

• Updated com.exasol:exasol-jdbc:24.0.0 to 24.1.0
• Updated io.netty:netty-all:4.1.109.Final to 4.1.111.Final
• Updated org.apache.commons:commons-compress:1.26.1 to 1.26.2

Test Dependency Updates

• Updated com.exasol:exasol-testcontainers:7.0.1 to 7.1.0
• Updated com.fasterxml.jackson.core:jackson-core:2.17.0 to 2.17.1
• Updated nl.jqno.equalsverifier:equalsverifier:3.15.8 to 3.16.1
• Updated org.mockito:mockito-core:5.11.0 to 5.12.0
• Updated org.mockito:mockito-junit-jupiter:5.11.0 to 5.12.0
• Updated org.testcontainers:junit-jupiter:1.19.7 to 1.19.8

Plugin Dependency Updates

• Updated com.exasol:project-keeper-maven-plugin:4.3.2 to 4.3.3