[ https://issues.apache.org/jira/browse/ARTEMIS-1483?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16222589#comment-16222589 ]
ASF GitHub Bot commented on ARTEMIS-1483: ----------------------------------------- Github user asfgit closed the pull request at: https://github.com/apache/activemq-artemis/pull/1618 > Upgrade beanutils > ----------------- > > Key: ARTEMIS-1483 > URL: https://issues.apache.org/jira/browse/ARTEMIS-1483 > Project: ActiveMQ Artemis > Issue Type: Bug > Affects Versions: 2.3.0 > Reporter: Mike Hearn > Assignee: Justin Bertram > Fix For: 2.4.0 > > > In ARTEMIS-309 the version of Apache Commons Collections was upgraded to > 3.2.2 however, this fix was not sufficient because ACC is also pulled in via > Apache BeanUtils. This is a potential problem because it is enough for the > bad library to anywhere on the classpath, so whether Artemis is vulnerable or > not may depend on the vagaries of classpath ordering (if both versions > somehow end up in the distribution by mistake). > BeanUtils has a 1.9.3 release where the dependency was upgraded to fix the > CVE. If Artemis upgrades to BeanUtils 1.9.3 the problem is resolved. > We noticed this in our project using the OWASP Dependency Scanner: > https://www.owasp.org/index.php/OWASP_Dependency_Check > It'd be a great thing for you guys to start using this wonderful plugin too. > The reports it generates are excellent. -- This message was sent by Atlassian JIRA (v6.4.14#64029)