Hello everyone, I've discovered that a dependency in the axi2 clustering component makes axis2 vulnerable to CVE-2020-0822, filed against tomcat, which has a NIST score of 8.4 high.
A maven dependency analysis shows this: INFO [m] +- org.apache.axis2:axis2-clustering:jar:1.8.0-SNAPSHOT:compile INFO [m] | +- org.apache.tomcat:tribes:jar:6.0.53:compile INFO [m] | \- org.apache.tomcat:juli:jar:6.0.53:compile I don't understand why axis2 depends on tomcat. Can someone explain please? -- Regards, Andrew Marlow http://www.andrewpetermarlow.co.uk
