[
https://issues.apache.org/jira/browse/CAMEL-20049?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17786712#comment-17786712
]
Andrea Cosentino commented on CAMEL-20049:
------------------------------------------
It is used only as test dependencies. You're not really exposed to anything,
also we are not spinning up an ActiveMQ server.
You need to have an ActiveMQ server running for exploiting this CVE:
https://github.com/oscerd/nice-cve-poc/tree/main/CVE-2023-46604
and we are not doing it. I understand your point and I understand you're giving
trust to Snyk, but it is a test dependency and I think you can manage to make
the Snyk static analyzer to ignore test dependencies.
This reports needs to be analyzed with a grain of salt sometimes.
> camel-activemq - Upgrade to latest releases
> -------------------------------------------
>
> Key: CAMEL-20049
> URL: https://issues.apache.org/jira/browse/CAMEL-20049
> Project: Camel
> Issue Type: Dependency upgrade
> Components: camel-activemq
> Reporter: Claus Ibsen
> Assignee: Claus Ibsen
> Priority: Major
> Fix For: 3.14.10, 3.20.9, 3.21.3, 3.22.0, 4.0.3, 4.2.0
>
> Attachments: screenshot-1.png
>
>
> There are new releases of ActiveMQ and Artemis.
> Though we only use this for testing but we need to be using latest releases.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
