[ https://issues.apache.org/jira/browse/MSITE-830?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16687112#comment-16687112 ]
Olaf Flebbe commented on MSITE-830: ----------------------------------- I looked at some of the dependencies. struts for instance is injected via doxia-site-rendering <-> velocity-tools There was a new release of velocity tools which seems to adress some of the issues we see. But IMHO here is the wrong place to discuss: doxia-site-rendering should be improved, than maven-site can pick this up. > Dependency upgrades related to identified security reports > ---------------------------------------------------------- > > Key: MSITE-830 > URL: https://issues.apache.org/jira/browse/MSITE-830 > Project: Maven Site Plugin > Issue Type: Improvement > Reporter: Sylwester Lachiewicz > Priority: Major > > Fix problems reported by [Snyk.io|https://snyk.io/] > > |H|[Arbitrary File Write via Archive Extraction (Zip > Slip)|https://app.snyk.io/vuln/SNYK-JAVA-ORGCODEHAUSPLEXUS-31680] in > org.codehaus.plexus:plexus-archiver| > |H| [Arbitrary Code > Execution|https://app.snyk.io/vuln/SNYK-JAVA-COMMONSBEANUTILS-30077] in > commons-beanutils:commons-beanutils| > |H| [Arbitrary Code > Execution|https://app.snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-30078] in > commons-collections:commons-collections| > |H| [XML External Entity (XXE) > Injection|https://app.snyk.io/vuln/SNYK-JAVA-DOM4J-72444] in dom4j:dom4j| > |H| [Denial of Service > (DoS)|https://app.snyk.io/vuln/SNYK-JAVA-ORGAPACHEPDFBOX-32417] in > org.apache.pdfbox:fontbox| > |H| [Arbitrary Code > Injection|https://app.snyk.io/vuln/SNYK-JAVA-ORGAPACHESTRUTS-30763] in > org.apache.struts:struts-core| > |H| [Arbitrary Command > Execution|https://app.snyk.io/vuln/SNYK-JAVA-ORGMORTBAYJETTY-32091] in > org.mortbay.jetty:jetty| > |M|[Denial of Service > (DoS)|https://app.snyk.io/vuln/SNYK-JAVA-ORGAPACHECOMMONS-32122] in > org.apache.commons:commons-compress| > |M|[Directory > Traversal|https://app.snyk.io/vuln/SNYK-JAVA-ORGAPACHECOMMONS-72275] in > org.apache.commons:commons-compress| > |M| [Man-in-the-Middle > (MitM)|https://app.snyk.io/vuln/SNYK-JAVA-ORGAPACHEHTTPCOMPONENTS-30646] in > org.apache.httpcomponents:httpclient| > |M| [Directory > Traversal|https://app.snyk.io/vuln/SNYK-JAVA-ORGAPACHEHTTPCOMPONENTS-31517] > in org.apache.httpcomponents:httpclient| > |M| [Improper Input > Validation|https://app.snyk.io/vuln/SNYK-JAVA-ORGAPACHEHTTPCOMPONENTS-30645] > in org.apache.httpcomponents:httpclient| > |M| [Information > Exposure|https://app.snyk.io/vuln/SNYK-JAVA-ORGAPACHEHTTPCOMPONENTS-30644] in > org.apache.httpcomponents:httpclient| > |M| [Denial of Service > (DoS)|https://app.snyk.io/vuln/SNYK-JAVA-ORGAPACHEHTTPCOMPONENTS-30647] in > org.apache.httpcomponents:httpclient| > |M| [Denial of Service > (DoS)|https://app.snyk.io/vuln/SNYK-JAVA-ORGAPACHEPDFBOX-72426] in > org.apache.pdfbox:pdfbox| > |L|[Denial of Service > (DoS)|https://app.snyk.io/vuln/SNYK-JAVA-ORGAPACHECOMMONS-32473] in > org.apache.commons:commons-compress| -- This message was sent by Atlassian JIRA (v7.6.3#76005)