From 2467e026a1e304e58940f4197cf48caca0de2452 Mon Sep 17 00:00:00 2001
From: Jonathan <jonathan.roques@camunda.com>
Date: Tue, 1 Oct 2024 10:53:58 +0200
Subject: [PATCH] other(cve): Fix 2 Critical CVEs (#3399)

* other(cve): Fix 2 Critical CVEs

* other(cve): Fix CVE-2024-31573
---
 bundle/camunda-saas-bundle/pom.xml                   | 7 +++++++
 connectors-e2e-test/connectors-e2e-test-base/pom.xml | 6 ++++++
 connectors/kafka/pom.xml                             | 7 +++++++
 3 files changed, 20 insertions(+)

diff --git a/bundle/camunda-saas-bundle/pom.xml b/bundle/camunda-saas-bundle/pom.xml
index 6179ebc81d..a31d166ec2 100644
--- a/bundle/camunda-saas-bundle/pom.xml
+++ b/bundle/camunda-saas-bundle/pom.xml
@@ -28,6 +28,13 @@
       <artifactId>spring-boot-starter-oauth2-resource-server</artifactId>
     </dependency>
 
+    <!-- Fix CVE-2024-7254 -->
+    <dependency>
+      <groupId>com.google.protobuf</groupId>
+      <artifactId>protobuf-java-util</artifactId>
+      <version>3.25.5</version>
+    </dependency>
+
     <dependency>
       <groupId>io.camunda.connector</groupId>
       <artifactId>connector-gcp-secret-provider</artifactId>
diff --git a/connectors-e2e-test/connectors-e2e-test-base/pom.xml b/connectors-e2e-test/connectors-e2e-test-base/pom.xml
index 311f02e444..5bd68ef05d 100644
--- a/connectors-e2e-test/connectors-e2e-test-base/pom.xml
+++ b/connectors-e2e-test/connectors-e2e-test-base/pom.xml
@@ -14,6 +14,12 @@
     <packaging>jar</packaging>
 
     <dependencies>
+        <!-- Fix CVE-2024-31573 -->
+        <dependency>
+            <groupId>org.xmlunit</groupId>
+            <artifactId>xmlunit-core</artifactId>
+            <version>2.10.0</version>
+        </dependency>
         <dependency>
             <groupId>com.jayway.jsonpath</groupId>
             <artifactId>json-path</artifactId>
diff --git a/connectors/kafka/pom.xml b/connectors/kafka/pom.xml
index 576a1e04f8..35d201d205 100644
--- a/connectors/kafka/pom.xml
+++ b/connectors/kafka/pom.xml
@@ -35,6 +35,13 @@ except in compliance with the proprietary license.</license.inlineheader>
 
   <dependencies>
 
+    <!-- Fix CVE-2022-36944 -->
+    <dependency>
+      <groupId>org.scala-lang</groupId>
+      <artifactId>scala-library</artifactId>
+      <version>2.13.15</version>
+    </dependency>
+
     <dependency>
       <groupId>org.apache.kafka</groupId>
       <artifactId>kafka-clients</artifactId>