[
https://issues.apache.org/jira/browse/SLING-13107?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Carsten Ziegeler reassigned SLING-13107:
----------------------------------------
Assignee: Carsten Ziegeler
> Pipes 4.5.0 Build vulnerable to CVE-2018-20433
> ----------------------------------------------
>
> Key: SLING-13107
> URL: https://issues.apache.org/jira/browse/SLING-13107
> Project: Sling
> Issue Type: Bug
> Components: pipes, Sling Pipes
> Affects Versions: pipes 4.5.0
> Reporter: J. Casalino
> Assignee: Carsten Ziegeler
> Priority: Critical
> Labels: SECURITY, Security, security, security-issue,
> security-review-needed
> Fix For: pipes 4.5.2
>
>
> {{[email protected]}} includes a transitive dependency to
> {{org.codehaus.plexus:[email protected]}} through
> {{{}[email protected]{}}}.
> CVSS reports {{[email protected]}} contains a Critical vulnerability with a
> {color:#ff0000}*score of*{color} {color:#ff0000}*9.8*{color}:
> [https://nvd.nist.gov/vuln/detail/cve-2018-20433]
> An offline conversation with [~cziegeler] via the sling security email list
> suggests this is only required during build time:
> {code:java}
> The plexus utils are only used at build time during tests, but do> not end up
> in the final bundle. {code}
> Since this is the case, perhaps we can remove this dependency or update the
> pom to override the vulnerable version with a fixed version? Either way, the
> vulnerability should be mitigated.
> Introduced through: com.adobe.<our_bundle_that_uses_pipes>@1.13.7-SNAPSHOT ›
> > > *org.apache.sling:[email protected]* › org.apache.sling:maven-
> > > [email protected] › org.apache.maven:[email protected] ›
> > > org.apache.maven:[email protected] › org.codehaus.plexus:plexus-
> > [email protected]
> > > *Remediation: upgrade `org.codehaus.plexus:plexus-utils` to version*
> > > *3.0.16 or higher.*
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
