You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@struts.apache.org by "Lukasz Lenart (Jira)" <ji...@apache.org> on 2020/11/21 11:30:00 UTC

[jira] [Resolved] (WW-5061) CVEs in the library dependencies

     [ https://issues.apache.org/jira/browse/WW-5061?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Lukasz Lenart resolved WW-5061.
-------------------------------
    Resolution: Fixed

We run a dedicated Jenkins job using OWASP Dependency Check plugin to be notified about CVEs in all the dependencies.

https://ci-builds.apache.org/job/Struts/job/Struts-master-JDK8-dependency-check/

> CVEs in the library dependencies
> --------------------------------
>
>                 Key: WW-5061
>                 URL: https://issues.apache.org/jira/browse/WW-5061
>             Project: Struts 2
>          Issue Type: Dependency
>            Reporter: XuCongying
>            Priority: Major
>             Fix For: 2.6
>
>
> Hi, I noticed that your project are using vulnerable libraries which are related to some CVEs. I suggest updating their versions to increase the security of your project. See details below:
>  
> Vulnerable Library Version: net.sourceforge.htmlunit : htmlunit : 2.27
>   CVE ID: [CVE-2020-5529](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5529)
>   Import Path: apps/rest-showcase/pom.xml
>   Suggested Safe Versions: 2.37.0
>  
> Vulnerable Library Version: org.hibernate : hibernate-validator : 5.4.3.Final
>   CVE ID: [CVE-2019-10219](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10219)
>   Import Path: plugins/bean-validation/pom.xml, apps/showcase/pom.xml
>   Suggested Safe Versions: 6.0.0.Alpha1, 6.0.0.Alpha2, 6.0.0.Beta1, 6.0.0.Beta2, 6.0.0.CR1, 6.0.0.CR2, 6.0.0.CR3, 6.0.0.Final, 6.0.1.Final, 6.0.10.Final, 6.0.11.Final, 6.0.12.Final, 6.0.13.Final, 6.0.14.Final, 6.0.15.Final, 6.0.16.Final, 6.0.17.Final, 6.0.18.Final, 6.0.2.Final, 6.0.3.Final, 6.0.4.Final, 6.0.5.Final, 6.0.6.Final, 6.0.7.Final, 6.0.8.Final, 6.0.9.Final, 6.1.0.Alpha1, 6.1.0.Alpha2, 6.1.0.Alpha3, 6.1.0.Alpha4, 6.1.0.Alpha5, 6.1.0.Alpha6, 6.1.0.Final, 6.1.1.Final, 6.1.2.Final
> Vulnerable Library Version: org.jboss.weld : weld-core : 1.0.1-SP4
>   CVE ID: [CVE-2014-8122](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8122)
>   Import Path: plugins/cdi/pom.xml
>   Suggested Safe Versions: 2.2.10.Final, 2.2.10.SP1, 2.2.11.Final, 2.2.12.Final, 2.2.13.Final, 2.2.14.Final, 2.2.15.Final, 2.2.16.Final, 2.2.16.SP1, 2.2.8.Final, 2.2.9.Final, 2.3.0.Beta1, 2.3.0.Beta2, 2.3.0.Beta3, 2.3.0.CR1, 2.3.0.CR2, 2.3.0.Final, 2.3.1.Final, 2.3.2.Final, 2.3.3.Final, 2.3.4.Final, 2.3.5.Final, 2.4.0.CR1, 2.4.0.Final, 2.4.1.Final, 2.4.2.Final, 2.4.2.SP1, 2.4.3.Final, 2.4.4.Final, 2.4.5.Final, 2.4.6.Final, 2.4.7.Final, 2.4.8.Final, 3.0.0.Alpha3, 3.0.0.Alpha4, 3.0.0.Alpha5, 3.0.0.Alpha6



--
This message was sent by Atlassian Jira
(v8.3.4#803005)