[ https://issues.apache.org/jira/browse/WSS-683?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17304999#comment-17304999 ]
Nick Monkman commented on WSS-683: ---------------------------------- Yes. Here is the relevant output of 'gradle dependencies'. The {{velocity-1.7 }}reference is near the bottom {noformat} | +--- org.apache.wss4j:wss4j-ws-security-common:2.3.1 | | +--- org.slf4j:slf4j-api:1.7.30 -> 1.8.0-beta2 | | +--- org.apache.santuario:xmlsec:2.2.1 | | | +--- org.slf4j:slf4j-api:1.7.30 -> 1.8.0-beta2 | | | +--- commons-codec:commons-codec:1.15 | | | \--- com.fasterxml.woodstox:woodstox-core:5.2.1 | | | \--- org.codehaus.woodstox:stax2-api:4.2 | | +--- org.opensaml:opensaml-saml-impl:3.4.5 | | | +--- org.opensaml:opensaml-profile-api:3.4.5 | | | | +--- org.opensaml:opensaml-core:3.4.5 | | | | | +--- joda-time:joda-time:2.9 -> 2.10.8 | | | | | +--- io.dropwizard.metrics:metrics-core:3.1.2 | | | | | | \--- org.slf4j:slf4j-api:1.7.7 -> 1.8.0-beta2 | | | | | +--- net.shibboleth.utilities:java-support:7.5.1 | | | | | | +--- commons-codec:commons-codec:1.10 -> 1.15 | | | | | | +--- com.google.code.findbugs:jsr305:3.0.1 -> 3.0.2 | | | | | | +--- com.google.guava:guava:20.0 -> 29.0-jre (*) | | | | | | +--- joda-time:joda-time:2.9 -> 2.10.8 | | | | | | \--- org.slf4j:slf4j-api:1.7.25 -> 1.8.0-beta2 | | | | | +--- commons-codec:commons-codec:1.10 -> 1.15 | | | | | \--- org.slf4j:slf4j-api:1.7.25 -> 1.8.0-beta2 | | | | +--- org.opensaml:opensaml-messaging-api:3.4.5 | | | | | +--- org.opensaml:opensaml-core:3.4.5 (*) | | | | | +--- joda-time:joda-time:2.9 -> 2.10.8 | | | | | +--- org.apache.httpcomponents:httpclient:4.5.3 -> 4.5.13 (*) | | | | | +--- net.shibboleth.utilities:java-support:7.5.1 (*) | | | | | +--- commons-codec:commons-codec:1.10 -> 1.15 | | | | | \--- org.slf4j:slf4j-api:1.7.25 -> 1.8.0-beta2 | | | | +--- net.shibboleth.utilities:java-support:7.5.1 (*) | | | | +--- commons-codec:commons-codec:1.10 -> 1.15 | | | | \--- org.slf4j:slf4j-api:1.7.25 -> 1.8.0-beta2 | | | +--- org.opensaml:opensaml-saml-api:3.4.5 | | | | +--- org.opensaml:opensaml-xmlsec-api:3.4.5 | | | | | +--- org.opensaml:opensaml-security-api:3.4.5 | | | | | | +--- org.opensaml:opensaml-core:3.4.5 (*) | | | | | | +--- org.apache.santuario:xmlsec:2.0.10 -> 2.2.1 (*) | | | | | | +--- org.bouncycastle:bcprov-jdk15on:1.59 -> 1.68 | | | | | | +--- net.shibboleth.utilities:java-support:7.5.1 (*) | | | | | | +--- commons-codec:commons-codec:1.10 -> 1.15 | | | | | | \--- org.slf4j:slf4j-api:1.7.25 -> 1.8.0-beta2 | | | | | +--- net.shibboleth.utilities:java-support:7.5.1 (*) | | | | | +--- commons-codec:commons-codec:1.10 -> 1.15 | | | | | \--- org.slf4j:slf4j-api:1.7.25 -> 1.8.0-beta2 | | | | +--- org.opensaml:opensaml-soap-api:3.4.5 | | | | | +--- org.opensaml:opensaml-xmlsec-api:3.4.5 (*) | | | | | +--- org.opensaml:opensaml-messaging-api:3.4.5 (*) | | | | | +--- org.apache.httpcomponents:httpclient:4.5.3 -> 4.5.13 (*) | | | | | +--- net.shibboleth.utilities:java-support:7.5.1 (*) | | | | | +--- commons-codec:commons-codec:1.10 -> 1.15 | | | | | \--- org.slf4j:slf4j-api:1.7.25 -> 1.8.0-beta2 | | | | +--- org.opensaml:opensaml-messaging-api:3.4.5 (*) | | | | +--- org.opensaml:opensaml-profile-api:3.4.5 (*) | | | | +--- org.opensaml:opensaml-storage-api:3.4.5 | | | | | +--- joda-time:joda-time:2.9 -> 2.10.8 | | | | | +--- net.shibboleth.utilities:java-support:7.5.1 (*) | | | | | +--- commons-codec:commons-codec:1.10 -> 1.15 | | | | | \--- org.slf4j:slf4j-api:1.7.25 -> 1.8.0-beta2 | | | | +--- net.shibboleth.utilities:java-support:7.5.1 (*) | | | | +--- commons-codec:commons-codec:1.10 -> 1.15 | | | | \--- org.slf4j:slf4j-api:1.7.25 -> 1.8.0-beta2 | | | +--- org.opensaml:opensaml-storage-api:3.4.5 (*) | | | +--- org.opensaml:opensaml-security-impl:3.4.5 | | | | +--- org.opensaml:opensaml-security-api:3.4.5 (*) | | | | +--- net.shibboleth.utilities:java-support:7.5.1 (*) | | | | +--- commons-codec:commons-codec:1.10 -> 1.15 | | | | \--- org.slf4j:slf4j-api:1.7.25 -> 1.8.0-beta2 | | | +--- org.opensaml:opensaml-xmlsec-impl:3.4.5 | | | | +--- org.opensaml:opensaml-core:3.4.5 (*) | | | | +--- org.opensaml:opensaml-security-api:3.4.5 (*) | | | | +--- org.opensaml:opensaml-xmlsec-api:3.4.5 (*) | | | | +--- org.apache.santuario:xmlsec:2.0.10 -> 2.2.1 (*) | | | | +--- org.opensaml:opensaml-security-impl:3.4.5 (*) | | | | +--- net.shibboleth.utilities:java-support:7.5.1 (*) | | | | +--- commons-codec:commons-codec:1.10 -> 1.15 | | | | \--- org.slf4j:slf4j-api:1.7.25 -> 1.8.0-beta2 | | | +--- org.opensaml:opensaml-soap-impl:3.4.5 | | | | +--- org.opensaml:opensaml-soap-api:3.4.5 (*) | | | | +--- org.opensaml:opensaml-profile-api:3.4.5 (*) | | | | +--- net.shibboleth.utilities:java-support:7.5.1 (*) | | | | +--- commons-codec:commons-codec:1.10 -> 1.15 | | | | \--- org.slf4j:slf4j-api:1.7.25 -> 1.8.0-beta2 | | | +--- org.apache.velocity:velocity:1.7 | | | | +--- commons-collections:commons-collections:3.2.1 -> 3.2.2 | | | | \--- commons-lang:commons-lang:2.4 | | | +--- org.apache.httpcomponents:httpclient:4.5.3 -> 4.5.13 (*) | | | +--- net.shibboleth.utilities:java-support:7.5.1 (*) | | | +--- commons-codec:commons-codec:1.10 -> 1.15 | | | \--- org.slf4j:slf4j-api:1.7.25 -> 1.8.0-beta2{noformat} > WSS4J depends on Velocity 1.7 which contains a security vulnerability > (CVE-2020-13936) > -------------------------------------------------------------------------------------- > > Key: WSS-683 > URL: https://issues.apache.org/jira/browse/WSS-683 > Project: WSS4J > Issue Type: Bug > Components: WSS4J Core > Affects Versions: 2.3.1 > Reporter: Nick Monkman > Assignee: Colm O hEigeartaigh > Priority: Major > Labels: security > > WSS4J has a transitive dependency on velocity 1.7 (via OpenSAML 3.x) which is > subject to a high security vulnerability ( > [https://nvd.nist.gov/vuln/detail/CVE-2020-13936] ) > WSS4J should update its OpenSAML dependency to 4.x thereby allowing > velocity-core-engine to be updated to the patched version (2.3) -- This message was sent by Atlassian Jira (v8.3.4#803005) --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@ws.apache.org For additional commands, e-mail: dev-h...@ws.apache.org