You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@commons.apache.org by Adesina Adebiyi <ad...@sfissa.org.INVALID> on 2021/05/26 15:25:38 UTC
Re: commons-dbcp2 Information Exposure Vulnerability
Good day,
I am researching an issue raised by sonatype (sonatype-2020-1349) -- that
org.apache.commons:commons-dbcp2 has "information exposure" vulnerability,
that all versions, including version 2.8.0, are vulnerable.
It appears that Gary's commit of Sep 21, 2020 (mask out name and password)
fixed the issue:
https://github.com/apache/commons-dbcp/blob/rel/commons-dbcp-2.8.0/RELEASE-NOTES.txt
Yet Sonatype is claiming that version 2.8.0 is vulnerable to information
disclosure. Indeed, WhiteSource and Snyk.io are also reporting that
versions of Apache commons including 2.8.0 are vulnerable:
WhiteSource
Upgrade Version : No fix version available
CVSS 3.1
https://www.whitesourcesoftware.com/vulnerability-database/WS-2020-0287
Sonatype-2020-1349
CVSS Vector:CVSS:3.1 The Apache Commons DBCP packages are vulnerable to
Insufficiently Protected Credential
The application is vulnerable by using this component
Snyk.io
https://snyk.io/vuln/maven:org.apache.commons%3Acommons-dbcp2
All versions vulnerable to Information exposure including the latest
published 21 Sep, 2020 org.apache.commons:commons-dbcp2 2.8.0
Was Gary's commit never released? Or did Gary's released commit fix the
issue and somehow Sonatype, Snyk.io, and WhiteSource are incorrectly
reporting commons-dbcp2 version 2.8.0 as vulnerable to Information Exposure?
Thanks for your prompt response.
Regards.
Adesina
Regards,
Adesina
Re: commons-dbcp2 Information Exposure Vulnerability
Posted by Gary Gregory <ga...@gmail.com>.
I plan on releasing Commons Pool and then looking at the PR and releasing
DBCP...
Gary
On Wed, May 26, 2021 at 12:14 PM Matt Sicker <bo...@gmail.com> wrote:
> See https://issues.apache.org/jira/browse/DBCP-562 which is still open.
>
> On Wed, 26 May 2021 at 10:29, Adesina Adebiyi
> <ad...@sfissa.org.invalid> wrote:
> >
> > Good day,
> >
> > I am researching an issue raised by sonatype (sonatype-2020-1349) -- that
> > org.apache.commons:commons-dbcp2 has "information exposure"
> vulnerability,
> > that all versions, including version 2.8.0, are vulnerable.
> >
> > It appears that Gary's commit of Sep 21, 2020 (mask out name and
> password)
> > fixed the issue:
> >
> https://github.com/apache/commons-dbcp/blob/rel/commons-dbcp-2.8.0/RELEASE-NOTES.txt
> >
> > Yet Sonatype is claiming that version 2.8.0 is vulnerable to information
> > disclosure. Indeed, WhiteSource and Snyk.io are also reporting that
> > versions of Apache commons including 2.8.0 are vulnerable:
> >
> > WhiteSource
> > Upgrade Version : No fix version available
> > CVSS 3.1
> > https://www.whitesourcesoftware.com/vulnerability-database/WS-2020-0287
> >
> > Sonatype-2020-1349
> > CVSS Vector:CVSS:3.1 The Apache Commons DBCP packages are vulnerable to
> > Insufficiently Protected Credential
> > The application is vulnerable by using this component
> >
> > Snyk.io
> > https://snyk.io/vuln/maven:org.apache.commons%3Acommons-dbcp2
> > All versions vulnerable to Information exposure including the latest
> > published 21 Sep, 2020 org.apache.commons:commons-dbcp2 2.8.0
> >
> > Was Gary's commit never released? Or did Gary's released commit fix the
> > issue and somehow Sonatype, Snyk.io, and WhiteSource are incorrectly
> > reporting commons-dbcp2 version 2.8.0 as vulnerable to Information
> Exposure?
> >
> > Thanks for your prompt response.
> >
> > Regards.
> >
> > Adesina
> >
> >
> >
> > Regards,
> >
> > Adesina
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@commons.apache.org
> For additional commands, e-mail: user-help@commons.apache.org
>
>
Re: commons-dbcp2 Information Exposure Vulnerability
Posted by Matt Sicker <bo...@gmail.com>.
See https://issues.apache.org/jira/browse/DBCP-562 which is still open.
On Wed, 26 May 2021 at 10:29, Adesina Adebiyi
<ad...@sfissa.org.invalid> wrote:
>
> Good day,
>
> I am researching an issue raised by sonatype (sonatype-2020-1349) -- that
> org.apache.commons:commons-dbcp2 has "information exposure" vulnerability,
> that all versions, including version 2.8.0, are vulnerable.
>
> It appears that Gary's commit of Sep 21, 2020 (mask out name and password)
> fixed the issue:
> https://github.com/apache/commons-dbcp/blob/rel/commons-dbcp-2.8.0/RELEASE-NOTES.txt
>
> Yet Sonatype is claiming that version 2.8.0 is vulnerable to information
> disclosure. Indeed, WhiteSource and Snyk.io are also reporting that
> versions of Apache commons including 2.8.0 are vulnerable:
>
> WhiteSource
> Upgrade Version : No fix version available
> CVSS 3.1
> https://www.whitesourcesoftware.com/vulnerability-database/WS-2020-0287
>
> Sonatype-2020-1349
> CVSS Vector:CVSS:3.1 The Apache Commons DBCP packages are vulnerable to
> Insufficiently Protected Credential
> The application is vulnerable by using this component
>
> Snyk.io
> https://snyk.io/vuln/maven:org.apache.commons%3Acommons-dbcp2
> All versions vulnerable to Information exposure including the latest
> published 21 Sep, 2020 org.apache.commons:commons-dbcp2 2.8.0
>
> Was Gary's commit never released? Or did Gary's released commit fix the
> issue and somehow Sonatype, Snyk.io, and WhiteSource are incorrectly
> reporting commons-dbcp2 version 2.8.0 as vulnerable to Information Exposure?
>
> Thanks for your prompt response.
>
> Regards.
>
> Adesina
>
>
>
> Regards,
>
> Adesina
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@commons.apache.org
For additional commands, e-mail: user-help@commons.apache.org