[
https://issues.apache.org/jira/browse/CODEC-293?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17185037#comment-17185037
]
Alex Herbert commented on CODEC-293:
------------------------------------
The only non-final field in URLCodec class is marked as deprecated:
{code:java}
/**
* The default charset used for string decoding and encoding.
*
* @deprecated TODO: This field will be changed to a private final Charset
in 2.0. (CODEC-126)
*/
@Deprecated
protected volatile String charset;
{code}
This will be addressed in the next major release.
> Security issue reported in commons-codec-1.14.jar
> -------------------------------------------------
>
> Key: CODEC-293
> URL: https://issues.apache.org/jira/browse/CODEC-293
> Project: Commons Codec
> Issue Type: Bug
> Affects Versions: 1.14
> Reporter: Kiran Kudtarkar
> Priority: Critical
>
> While performing scans of all our project artefacts, using Xray
> ([https://jfrog.com/xray/)|https://urldefense.com/v3/__https:/jfrog.com/xray/)__;!!GqivPVa7Brio!J9TPdrHzI4C2XxjL6FPqvIavUMcv8JDZPDbUdDxUj_GNkbaVTUPKBVSkOwivW_xwb3iXAQ$]
>
> ([https://jfrog.com/xray/features/)|https://urldefense.com/v3/__https:/jfrog.com/xray/features/)__;!!GqivPVa7Brio!J9TPdrHzI4C2XxjL6FPqvIavUMcv8JDZPDbUdDxUj_GNkbaVTUPKBVSkOwivW_yeHM4sOA$],
> below vulnerability has been reported by one of our clients.
>
> *Reported Issue: Apache Commons Codec org.apache.commons.codec.net.URLCodec
> Fields Missing 'final' Thread-safety Unspecified Issue*
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
