Server Implementation

Paper

Server Version

1.18.2

Describe the bug

Hi, @sk89q , @dordsor21, I'd like to report a vulnerable dependency in com.fastasyncworldedit:FastAsyncWorldEdit-Core:2.1.1.

Issue Description

I noticed that com.fastasyncworldedit:FastAsyncWorldEdit-Core:2.1.1 directly depends on com.github.luben:zstd-jni:v1.4.8-1 in the pom. However, as shown in the following dependency graph, com.github.luben:zstd-jni:v1.4.8-1 sufferes from the vulnerability which the C library zstd(version:1.4.8) exposed: CVE-2021-24032.

Dependency Graph between Java and Shared Libraries

Suggested Vulnerability Patch Versions

com.github.luben:zstd-jni:v1.4.9-1 (>=v1.4.9-1) has upgraded this vulnerable C library zstd to the patch version 1.4.9.

Java build tools cannot report vulnerable C libraries, which may induce potential security issues to many downstream Java projects. Could you please upgrade this vulnerable dependency?

Thanks for your help~
Best regards,
Helen Parr

To Reproduce

NONE

Expected behaviour

NONE

Screenshots / Videos

No response

Error log (if applicable)

NONE

Fawe Debugpaste

NONE

Fawe Version

com.fastasyncworldedit:FastAsyncWorldEdit-Core:2.1.1

Checklist

• I have included a Fawe debugpaste.
• I am using the newest build from https://ci.athion.net/job/FastAsyncWorldEdit/ and the issue still persists.

Anything else?

No response

Fawe and any other Java implementation is not affected by it. The CVE named does only apply to Zstd CLI, language abstractions are unaffected.