[
https://issues.apache.org/jira/browse/OAK-12203?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18078629#comment-18078629
]
Alejandro Moratinos commented on OAK-12203:
-------------------------------------------
Created PR to update mina-core version to 2.1.12, latest minor version
available.
[https://github.com/apache/jackrabbit-oak/pull/2889]
> Oak-auth-ldap uses vulnerable org.apache.mina.mina-core
> -------------------------------------------------------
>
> Key: OAK-12203
> URL: https://issues.apache.org/jira/browse/OAK-12203
> Project: Jackrabbit Oak
> Issue Type: Improvement
> Components: security
> Reporter: Alejandro Moratinos
> Assignee: Alejandro Moratinos
> Priority: Major
>
> Oak-auth-ldap artifact embeds mina-core 2.1.10 which contains the following
> vulnerabilitie(s):
> * *CVE-2026-41635* in version 2.1.10 (CVSS 9.8 Critical): Apache MINA's
> AbstractIoBuffer.resolveClass() contains two branches, one of them (for
> static classes or primitive types) does not check the class at all, bypassing
> the classname allowlist and allowing arbitrary code to be executed. The fix
> checks if the class is present in the accepted class filter before calling
> Class.forName(). Affected versions are Apache MINA 2.0.0 <= 2.0.27, 2.1.0 <=
> 2.1.10, and 2.2.0 <= 2.2.5. The problem is resolved in Apache MINA 2.0.28,
> 2.1.11, and 2.2.6 by applying the classname allowlist earlier. Affected are
> applications using Apache MINA that call IoBuffer.getObject(). Applications
> using Apache MINA are advised to upgrade.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
