fix CVE-2024-57699 by pinning version (#37200)

stankiewicz · web-flow · commit 9e3dd1a2c870 · 2025-12-30T16:43:09.000-05:00
diff --git a/sdks/java/io/iceberg/hive/build.gradle b/sdks/java/io/iceberg/hive/build.gradle
@@ -57,6 +57,8 @@ dependencies {
     }
     // add manually higher version to resolve CVE-2025-59250
     runtimeOnly ("com.microsoft.sqlserver:mssql-jdbc:12.2.0.jre11")
+    // resolve CVE-2024-57699
+    runtimeOnly("net.minidev:json-smart:2.5.2")
     runtimeOnly ("org.apache.hbase:hbase-client:$hbase_version")
     runtimeOnly ("org.apache.calcite.avatica:avatica-core:$avatica_version")
     // these exlusions were inherit from hive-exec-3.1.3.pom

Original file line number	Diff line number	Diff line change
`@@ -57,6 +57,8 @@ dependencies {`
`57`	`57`	`}`
`58`	`58`	`// add manually higher version to resolve CVE-2025-59250`
`59`	`59`	`runtimeOnly ("com.microsoft.sqlserver:mssql-jdbc:12.2.0.jre11")`
	`60`	`+ // resolve CVE-2024-57699`
	`61`	`+ runtimeOnly("net.minidev:json-smart:2.5.2")`
`60`	`62`	`runtimeOnly ("org.apache.hbase:hbase-client:$hbase_version")`
`61`	`63`	`runtimeOnly ("org.apache.calcite.avatica:avatica-core:$avatica_version")`
`62`	`64`	`// these exlusions were inherit from hive-exec-3.1.3.pom`