Resolve CVE-2024-52338 and CVE-2025-48924 (#916)

jprakash-db · web-flow · commit 0effaa680531 · 2025-07-31T16:28:30.000+05:30
## Description Version bump for [CVE-2024-52338](https://nvd.nist.gov/vuln/detail/CVE-2024-52338) and [CVE-2025-48924](https://nvd.nist.gov/vuln/detail/CVE-2025-48924) ## Testing NA ## Additional Notes to the Reviewer NA
diff --git a/NEXT_CHANGELOG.md b/NEXT_CHANGELOG.md
@@ -13,6 +13,8 @@
 
 ### Updated
 - Column name support for JDBC ResultSet operations is now case-insensitive
+- Updated arrow to 17.0.0 to resolve CVE-2024-52338
+- Updated commons-lang3 to 3.18.0 to resolve CVE-2025-48924
 - Enhanced SSL certificate path validation error messages to provide actionable troubleshooting steps.
 
 ### Fixed
diff --git a/pom.xml b/pom.xml
@@ -40,7 +40,8 @@
     </repository>
   </distributionManagement>
   <properties>
-    <arrow.version>13.0.0</arrow.version>
+    <arrow.version>17.0.0</arrow.version>
+    <commons-lang3.version>3.18.0</commons-lang3.version>
     <maven.compiler.source>11</maven.compiler.source>
     <maven.compiler.target>11</maven.compiler.target>
     <mockito.version>5.2.0</mockito.version>
@@ -69,6 +70,16 @@
     <netty.version>4.2.0.Final</netty.version>
     <grpc.version>1.71.0</grpc.version>
   </properties>
+  <dependencyManagement>
+    <!-- Force safe version of commons-lang3 https://nvd.nist.gov/vuln/detail/CVE-2025-48924 -->
+    <dependencies>
+      <dependency>
+        <groupId>org.apache.commons</groupId>
+        <artifactId>commons-lang3</artifactId>
+        <version>${commons-lang3.version}</version>
+      </dependency>
+    </dependencies>
+  </dependencyManagement>
   <dependencies>
     <dependency>
       <groupId>com.databricks</groupId>
