[ https://issues.apache.org/jira/browse/ARTEMIS-2413?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Justin Bertram reassigned ARTEMIS-2413: --------------------------------------- Assignee: Justin Bertram > Upgrade JGroups > --------------- > > Key: ARTEMIS-2413 > URL: https://issues.apache.org/jira/browse/ARTEMIS-2413 > Project: ActiveMQ Artemis > Issue Type: Dependency upgrade > Affects Versions: 2.6.4 > Reporter: Endre Jeges > Assignee: Justin Bertram > Priority: Major > Time Spent: 1h > Remaining Estimate: 0h > > I have noticed with the OWASP dependency-check plugin > (org.owasp:dependency-check-maven:5.0.0) that the currently used > org.jgroups:jgroups:3.6.13.Final has a [CWE-300: Channel Accessible by > Non-Endpoint > ('Man-in-the-Middle')|https://ossindex.sonatype.org/vuln/7c83fdab-9665-4e79-bc81-cc67fbb96417] > vulnerability. The problem has not been reported in the NVD database, > therefore there is no CVE record. > The vulnerability has been > [addressed|https://github.com/belaban/JGroups/pull/348] in version > org.jgroups:jgroups:4.0.2.Final (at the moment the latest version is > org.jgroups:jgroups:4.1.1.Final). > The org.jgroups:jgroups dependency would require an upgrade to resolve the > vulnerability. > -- This message was sent by Atlassian Jira (v8.20.1#820001)