You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@maven.apache.org by "jycr (Jira)" <ji...@apache.org> on 2023/01/09 00:37:00 UTC

[jira] [Commented] (MSKINS-203) CVEs in generated maven site with maven-fluido-skin

    [ https://issues.apache.org/jira/browse/MSKINS-203?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17655853#comment-17655853 ] 

jycr commented on MSKINS-203:
-----------------------------

MSKINS-175 is incomplete.

There are currently 4 CVEs detected (not just 2).
And it lacks details about the upgrade required for Bootstrap.

I will add these details as a comment to MSKINS-175

> CVEs in generated maven site with maven-fluido-skin
> ---------------------------------------------------
>
>                 Key: MSKINS-203
>                 URL: https://issues.apache.org/jira/browse/MSKINS-203
>             Project: Maven Skins
>          Issue Type: Bug
>          Components: Fluido Skin
>    Affects Versions: fluido-1.11.1
>            Reporter: jycr
>            Priority: Critical
>
> Generated Maven site (with maven-fluido-skin) are affected by following CVEs:
> * [CVE-2015-9251|https://nvd.nist.gov/vuln/detail/cve-2015-9251]
> * [CVE-2019-11358|https://nvd.nist.gov/vuln/detail/CVE-2019-11358]
> * [CVE-2020-11022|https://nvd.nist.gov/vuln/detail/CVE-2020-11022]
> * [CVE-2020-11023|https://nvd.nist.gov/vuln/detail/CVE-2020-11023]
> Those CVEs are regarding jQuery version used by this skin: jQuery 1.11.2
> An upgrade of jQuery is needed to use jQuery version >= 3.5.0
> Unfortunately, Bootstrap 2.3.2 does not support jQuery 3+
> An upgrade of Bootstrap is needed to use Bootstrap version >= 3.3.7
> Some modifications is needed, see: https://getbootstrap.com/docs/3.4/migration/
> Please note: Bootstrap 2 is under Apache License, Bootstrap 3 is under MIT License



--
This message was sent by Atlassian Jira
(v8.20.10#820010)