You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
It is reported, that all Versions of prometheus-metrics-shaded-protobuf until 1.3.1 included are affected.
There is currently no unaffected Version of prometheus-metrics-shaded-protobuf available while the unshaded library protobuf-java was already fixed.
On the other hand: That was an automated update. I am not sure that dependabot understands the shading.
Shouldn't it update also the protobuf.version.string variable?
Sonatype reports CVE-2024-7254 on io.prometheus : prometheus-metrics-shaded-protobuf with a CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N Score of 8.7.
It is reported, that all Versions of prometheus-metrics-shaded-protobuf until 1.3.1 included are affected.
There is currently no unaffected Version of prometheus-metrics-shaded-protobuf available while the unshaded library protobuf-java was already fixed.
See also GHSA-735f-pc8j-v9w8
The text was updated successfully, but these errors were encountered: