You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cxf.apache.org by "Colm O hEigeartaigh (Jira)" <ji...@apache.org> on 2022/10/26 12:29:00 UTC
[jira] [Commented] (CXF-8776) Version 3.5.4 contains security vulnerable woodstox version
[ https://issues.apache.org/jira/browse/CXF-8776?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17624424#comment-17624424 ]
Colm O hEigeartaigh commented on CXF-8776:
------------------------------------------
We have already updated to Woodstox 6.4.0 - [https://github.com/apache/cxf/commit/a615cc34ee974469e94c8a0086ec2ed0c84991fa]
According to [https://github.com/advisories/GHSA-3f7h-mf4q-vrm4,] it only impacts DTD parsing, which we don't do in CXF.
Colm.
> Version 3.5.4 contains security vulnerable woodstox version
> -----------------------------------------------------------
>
> Key: CXF-8776
> URL: https://issues.apache.org/jira/browse/CXF-8776
> Project: CXF
> Issue Type: Bug
> Components: JAX-RS
> Affects Versions: 3.5.4
> Reporter: Shalom Yaish
> Priority: Major
>
> Version 3.5.4 contains the security vulnerable woodstox-core- 6.2.8 containing this CVE:
> CVE-2022-40151 - CVE-2022-40156
> [https://www.mend.io/vulnerability-database/CVE-2022-40151]
> The fix existed at woodstox-core-6.4.0
>
> Any chance this will be released quickly ?
--
This message was sent by Atlassian Jira
(v8.20.10#820010)