[
https://issues.apache.org/jira/browse/MNG-7414?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Karl Heinz Marbaise updated MNG-7414:
-------------------------------------
Fix Version/s: waiting-for-feedback
wontfix-candidate
> Maven version 3.8.3 + 3.8.4 have jsoup vulnerability
> ----------------------------------------------------
>
> Key: MNG-7414
> URL: https://issues.apache.org/jira/browse/MNG-7414
> Project: Maven
> Issue Type: Bug
> Reporter: Ksenia Hershkovici
> Priority: Major
> Fix For: waiting-for-feedback, wontfix-candidate
>
>
> Hi Team,
> We are facing jsoup component vulnerability with maven versions 3.8.3 and
> 3.8.4 which is the latest released version of maven. The CVE details are:
> CVE-2021-37714
> Jsoup version which is getting installed while installing maven 3.8.3 and
> 3.8.4 is v1.12.1.
> We noticed that both versions have wagon 3.4.3 that is probably installing
> Jsoup v1.12.1.
> Can you please provide the details of next maven version release with this
> fix in it?
> Thanks.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
