You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@manifoldcf.apache.org by "Karl Wright (Jira)" <ji...@apache.org> on 2022/06/09 09:09:00 UTC

[jira] [Commented] (CONNECTORS-1715) Vulnerabilities in 45 jars in Apache Manifold CF 2.22.1 version

    [ https://issues.apache.org/jira/browse/CONNECTORS-1715?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17552059#comment-17552059 ] 

Karl Wright commented on CONNECTORS-1715:
-----------------------------------------

Sorry, most of these cannot be upgraded because there is nothing to upgrade to.  Example: Axis jars.

A quick look shows that the kinds of attacks listed here are operating modes for the jars in question that would make the attack vector impossible to exploit in ManifoldCF.  ManifoldCF indexes data from/to trusted systems, so an attack on ManifoldCF itself from such a setup would have to involve a man-in-the-middle, which can trivially be avoided if you are on either a secure network or use Https for your connections to your repositories.  ManifoldCF's UI and API we recommend also be localized to an internal network, but in any case they are what we secure.  Database connection security is left as an exercise for the user; it's beyond the scope of the ManifoldCF project.

> Vulnerabilities in 45 jars in Apache Manifold CF 2.22.1 version
> ---------------------------------------------------------------
>
>                 Key: CONNECTORS-1715
>                 URL: https://issues.apache.org/jira/browse/CONNECTORS-1715
>             Project: ManifoldCF
>          Issue Type: Bug
>    Affects Versions: ManifoldCF 2.22
>            Reporter: Himanshu
>            Priority: Major
>         Attachments: dependency-check-report-Apache Manifold.html
>
>
> 45 vulnerable jars are present in apache-manifoldcf version 2.22.1



--
This message was sent by Atlassian Jira
(v8.20.7#820007)