You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@activemq.apache.org by "clebert suconic (Jira)" <ji...@apache.org> on 2019/08/26 15:45:02 UTC
[jira] [Closed] (ARTEMIS-2363) spring-core-5.0.1.RELEASE.jar
vulnerable to CVE-2018-15756
[ https://issues.apache.org/jira/browse/ARTEMIS-2363?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
clebert suconic closed ARTEMIS-2363.
------------------------------------
Fix Version/s: 2.10.0
Resolution: Fixed
> spring-core-5.0.1.RELEASE.jar vulnerable to CVE-2018-15756
> ----------------------------------------------------------
>
> Key: ARTEMIS-2363
> URL: https://issues.apache.org/jira/browse/ARTEMIS-2363
> Project: ActiveMQ Artemis
> Issue Type: Wish
> Components: Broker
> Affects Versions: 2.8.1
> Reporter: Albert Baker
> Assignee: Justin Bertram
> Priority: Minor
> Labels: build, easyfix, security
> Fix For: 2.10.0
>
> Original Estimate: 2h
> Time Spent: 10m
> Remaining Estimate: 1h 50m
>
> Please upgrade the vulnerabile third party libraies that are used with Apache ActiveMQ Artimis
> Dependency CPE Highest Severity CVE Count CPE Confidence
> ----------------------------------|----------------------------------------------|--------------------|---------------|-----------------------
> spring-core-5.0.1.RELEASE.jar cpe:/a:springsource:spring_framework:5.0.1 High 8 Highest
> https://nvd.nist.gov/vuln/detail/CVE-2018-15756
> Spring Framework, version 5.1, versions 5.0.x prior to 5.0.10, versions 4.3.x prior to 4.3.20, and older that depend on spring-boot-starter-web or spring-boot-starter-webflux are ready to serve static resources out of the box and are therefore vulnerable.
> Mitigation : Spring-core-5.0.1 is from Oct 2017, the latetst 5..1.7 is from May 2019
--
This message was sent by Atlassian Jira
(v8.3.2#803003)