You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@tomee.apache.org by "Jonathan Gallimore (Jira)" <ji...@apache.org> on 2021/09/23 08:36:00 UTC

[jira] [Resolved] (TOMEE-3798) TomEE (8.0.8) is affected by CVE-2021-40690 vulnerability

     [ https://issues.apache.org/jira/browse/TOMEE-3798?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Jonathan Gallimore resolved TOMEE-3798.
---------------------------------------
    Fix Version/s: 8.0.9
       Resolution: Fixed

A fix for this was committed yesterday: https://github.com/apache/tomee/commit/0fca7230c50775ccfd517c9663a1cd89e77b5bb2

> TomEE (8.0.8) is affected by CVE-2021-40690 vulnerability
> ---------------------------------------------------------
>
>                 Key: TOMEE-3798
>                 URL: https://issues.apache.org/jira/browse/TOMEE-3798
>             Project: TomEE
>          Issue Type: Bug
>            Reporter: Pavana Sai Mahathi Vavilala
>            Assignee: Jonathan Gallimore
>            Priority: Major
>             Fix For: 8.0.9
>
>
> TomEE 8.0.8 is using xmlsec-2.2.1.jar (Apache Santuario) which is affected by vulnerability [CVE-2021-40690|https://nvd.nist.gov/vuln/detail/CVE-2021-40690] with CVSS score of 6.5.
> +Summary+:
>  _A file disclosure vulnerability has been found in Apache Santuario XML Security for Java. An {{XPath Transform}} could be used to extract any local {{.xml}} files in a {{RetrievalMethod}} element._
> The remediation for the security flaw is available in {{xmlsec-2.1.7}} older build and {{xmlsec-2.2.3}} official build.
> Please upgrade to {{xmlsec-2.2.3}} version which has an official fix to address this issue.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)