You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@struts.apache.org by "Lukasz Lenart (Jira)" <ji...@apache.org> on 2020/11/21 11:30:00 UTC
[jira] [Resolved] (WW-5061) CVEs in the library dependencies
[ https://issues.apache.org/jira/browse/WW-5061?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Lukasz Lenart resolved WW-5061.
-------------------------------
Resolution: Fixed
We run a dedicated Jenkins job using OWASP Dependency Check plugin to be notified about CVEs in all the dependencies.
https://ci-builds.apache.org/job/Struts/job/Struts-master-JDK8-dependency-check/
> CVEs in the library dependencies
> --------------------------------
>
> Key: WW-5061
> URL: https://issues.apache.org/jira/browse/WW-5061
> Project: Struts 2
> Issue Type: Dependency
> Reporter: XuCongying
> Priority: Major
> Fix For: 2.6
>
>
> Hi, I noticed that your project are using vulnerable libraries which are related to some CVEs. I suggest updating their versions to increase the security of your project. See details below:
>
> Vulnerable Library Version: net.sourceforge.htmlunit : htmlunit : 2.27
> CVE ID: [CVE-2020-5529](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5529)
> Import Path: apps/rest-showcase/pom.xml
> Suggested Safe Versions: 2.37.0
>
> Vulnerable Library Version: org.hibernate : hibernate-validator : 5.4.3.Final
> CVE ID: [CVE-2019-10219](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10219)
> Import Path: plugins/bean-validation/pom.xml, apps/showcase/pom.xml
> Suggested Safe Versions: 6.0.0.Alpha1, 6.0.0.Alpha2, 6.0.0.Beta1, 6.0.0.Beta2, 6.0.0.CR1, 6.0.0.CR2, 6.0.0.CR3, 6.0.0.Final, 6.0.1.Final, 6.0.10.Final, 6.0.11.Final, 6.0.12.Final, 6.0.13.Final, 6.0.14.Final, 6.0.15.Final, 6.0.16.Final, 6.0.17.Final, 6.0.18.Final, 6.0.2.Final, 6.0.3.Final, 6.0.4.Final, 6.0.5.Final, 6.0.6.Final, 6.0.7.Final, 6.0.8.Final, 6.0.9.Final, 6.1.0.Alpha1, 6.1.0.Alpha2, 6.1.0.Alpha3, 6.1.0.Alpha4, 6.1.0.Alpha5, 6.1.0.Alpha6, 6.1.0.Final, 6.1.1.Final, 6.1.2.Final
> Vulnerable Library Version: org.jboss.weld : weld-core : 1.0.1-SP4
> CVE ID: [CVE-2014-8122](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8122)
> Import Path: plugins/cdi/pom.xml
> Suggested Safe Versions: 2.2.10.Final, 2.2.10.SP1, 2.2.11.Final, 2.2.12.Final, 2.2.13.Final, 2.2.14.Final, 2.2.15.Final, 2.2.16.Final, 2.2.16.SP1, 2.2.8.Final, 2.2.9.Final, 2.3.0.Beta1, 2.3.0.Beta2, 2.3.0.Beta3, 2.3.0.CR1, 2.3.0.CR2, 2.3.0.Final, 2.3.1.Final, 2.3.2.Final, 2.3.3.Final, 2.3.4.Final, 2.3.5.Final, 2.4.0.CR1, 2.4.0.Final, 2.4.1.Final, 2.4.2.Final, 2.4.2.SP1, 2.4.3.Final, 2.4.4.Final, 2.4.5.Final, 2.4.6.Final, 2.4.7.Final, 2.4.8.Final, 3.0.0.Alpha3, 3.0.0.Alpha4, 3.0.0.Alpha5, 3.0.0.Alpha6
--
This message was sent by Atlassian Jira
(v8.3.4#803005)