feat(dependencies): remove org.quartz-scheduler:quartz by halibobo1205 · Pull Request #6257 · tronprotocol/java-tron
What does this PR do?
Remove org.quartz-scheduler:quartz to avoid potential impacts CVE-2023-39017.
Tip
Tron does not use this scenario for now.
Why are these changes required?
quartz-jobs 2.3.2 and below was discovered to contain a code injection vulnerability in the component org.quartz.jobs.ee.jms.SendQueueMessageJob.execute. This vulnerability is exploited via passing an unchecked argument.
Important
this is disputed by multiple parties because it is not plausible that untrusted user input would reach the code location where injection must occur.
This PR has been tested by:
- Unit Tests
- Manual Testing
Follow up
Extra details