[
https://issues.apache.org/jira/browse/CONNECTORS-1715?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17552059#comment-17552059
]
Karl Wright commented on CONNECTORS-1715:
-----------------------------------------
Sorry, most of these cannot be upgraded because there is nothing to upgrade to.
Example: Axis jars.
A quick look shows that the kinds of attacks listed here are operating modes
for the jars in question that would make the attack vector impossible to
exploit in ManifoldCF. ManifoldCF indexes data from/to trusted systems, so an
attack on ManifoldCF itself from such a setup would have to involve a
man-in-the-middle, which can trivially be avoided if you are on either a secure
network or use Https for your connections to your repositories. ManifoldCF's
UI and API we recommend also be localized to an internal network, but in any
case they are what we secure. Database connection security is left as an
exercise for the user; it's beyond the scope of the ManifoldCF project.
> Vulnerabilities in 45 jars in Apache Manifold CF 2.22.1 version
> ---------------------------------------------------------------
>
> Key: CONNECTORS-1715
> URL: https://issues.apache.org/jira/browse/CONNECTORS-1715
> Project: ManifoldCF
> Issue Type: Bug
> Affects Versions: ManifoldCF 2.22
> Reporter: Himanshu
> Priority: Major
> Attachments: dependency-check-report-Apache Manifold.html
>
>
> 45 vulnerable jars are present in apache-manifoldcf version 2.22.1
--
This message was sent by Atlassian Jira
(v8.20.7#820007)
