You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@cxf.apache.org by "Colm O hEigeartaigh (Jira)" <ji...@apache.org> on 2022/10/26 12:29:00 UTC

[jira] [Commented] (CXF-8776) Version 3.5.4 contains security vulnerable woodstox version

    [ https://issues.apache.org/jira/browse/CXF-8776?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17624424#comment-17624424 ] 

Colm O hEigeartaigh commented on CXF-8776:
------------------------------------------

We have already updated to Woodstox 6.4.0 - [https://github.com/apache/cxf/commit/a615cc34ee974469e94c8a0086ec2ed0c84991fa]

According to [https://github.com/advisories/GHSA-3f7h-mf4q-vrm4,] it only impacts DTD parsing, which we don't do in CXF.

Colm.

> Version 3.5.4 contains security vulnerable woodstox version
> -----------------------------------------------------------
>
>                 Key: CXF-8776
>                 URL: https://issues.apache.org/jira/browse/CXF-8776
>             Project: CXF
>          Issue Type: Bug
>          Components: JAX-RS
>    Affects Versions: 3.5.4
>            Reporter: Shalom Yaish
>            Priority: Major
>
> Version 3.5.4 contains the security vulnerable woodstox-core- 6.2.8 containing this CVE:
> CVE-2022-40151 - CVE-2022-40156
> [https://www.mend.io/vulnerability-database/CVE-2022-40151]
> The fix existed at woodstox-core-6.4.0
>  
> Any chance this will be released quickly ?



--
This message was sent by Atlassian Jira
(v8.20.10#820010)