J. Casalino created SLING-13107:
-----------------------------------
Summary: Pipes vulnerable to CVE-2018-20433
Key: SLING-13107
URL: https://issues.apache.org/jira/browse/SLING-13107
Project: Sling
Issue Type: Bug
Components: pipes, Sling Pipes
Affects Versions: pipes 4.5.0
Reporter: J. Casalino
Sling Pipes 4.5.0 includes a transitive dependency to
{{org.codehaus.plexus:[email protected]}} through
{{{}[email protected]{}}}.
CVSS reports {{[email protected]}} contains a Critical vulnerability with a
{color:#FF0000}*score of*{color} {color:#FF0000}*9.8*{color}:
[https://nvd.nist.gov/vuln/detail/cve-2018-20433]
An offline conversation with [~cziegeler] via the sling security email list
suggests this is only required during build time:
{code:java}
The plexus utils are only used at build time during tests, but do> not end up
in the final bundle. {code}
Since this is the case, perhaps we can remove this dependency or update the pom
to override the vulnerable version with a fixed version? Either way, the
vulnerability should be mitigated.
Introduced through: com.adobe.<our_bundle_that_uses_pipes>@1.13.7-SNAPSHOT ›
> > *org.apache.sling:[email protected]* › org.apache.sling:maven-
> > [email protected] › org.apache.maven:[email protected] ›
> > org.apache.maven:[email protected] › org.codehaus.plexus:plexus-
> [email protected]
> > *Remediation: upgrade `org.codehaus.plexus:plexus-utils` to version*
> > *3.0.16 or higher.*
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
