You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@sling.apache.org by "Robert Munteanu (Jira)" <ji...@apache.org> on 2022/02/24 22:18:00 UTC

[jira] [Commented] (SLING-11162) Vulnerabilities stopping us from procuring these libs

    [ https://issues.apache.org/jira/browse/SLING-11162?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17497764#comment-17497764 ] 

Robert Munteanu commented on SLING-11162:
-----------------------------------------

[~friendlymahi] - I am not sure what we can do here to help. I see neither the servlets.post nor the xss bundle as dependencies of https://github.com/apache/sling-org-apache-sling-resourcebuilder/blob/org.apache.sling.resourcebuilder-1.0.4/pom.xml  .

Of course, if you can contribute a fix to the resource builder that unblocks your security process I'd be happy to review it. But the main question is still how it links the resource builder to those two bundles.

> Vulnerabilities stopping us from procuring these libs
> -----------------------------------------------------
>
>                 Key: SLING-11162
>                 URL: https://issues.apache.org/jira/browse/SLING-11162
>             Project: Sling
>          Issue Type: Bug
>          Components: XSS Protection API
>            Reporter: Mahidhar Chaluvadi
>            Priority: Major
>
> Today we wanted to use latest version of WCM IO Mocks for AEM JUnit Testing, and our organization denied our request stating there are vulnerabilities in the dependency chain, and here are the details. Wondering if there is a way to revise the version including necessary fixes. We are okay to contribute back to the respective git repo with the required guidance so we dont violate any standards you may have.
>   Dependency: MAVEN - org.apache.sling:org.apache.sling.resourcebuilder:1.0.4:jar
>       RejectReasons (2)
>         RejectReason:   2057e68c-41f8-4f57-80fe-54278d93e422
>           Type:            VULNERABILITY
>           Name:            CVE-2016-0956
>           CVSS Score v2:   7.8
>           Severity:        high
>           Description:     The Servlets Post component 2.3.6 in Apache Sling, as used in Adobe Experience Manager 5.6.1, 6.0.0, and 6.1.0, allows remote attackers to obtain sensitive information via unspecified vectors.
>         RejectReason:   51205845-93e2-4d67-8289-afe4ee35cd65
>           Type:            VULNERABILITY
>           Name:            CVE-2016-6798
>           CVSS Score v2:   7.5
>           Severity:        high
>           Description:     In the XSS Protection API module before 1.0.12 in Apache Sling, the method XSS.getValidXML() uses an insecure SAX parser to validate the input string, which allows for XXE attacks in all scripts which use this method to validate user input, potentially allowing an attacker to read sensitive data on the filesystem, perform same-site-request-forgery (SSRF), port-scanning behind the firewall or DoS the application.



--
This message was sent by Atlassian Jira
(v8.20.1#820001)