[ https://issues.apache.org/jira/browse/FELIX-6193?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jean-Baptiste Onofré reassigned FELIX-6193: ------------------------------------------- Assignee: Jean-Baptiste Onofré > Update maven-archiver + plexus-utils > ------------------------------------ > > Key: FELIX-6193 > URL: https://issues.apache.org/jira/browse/FELIX-6193 > Project: Felix > Issue Type: Improvement > Reporter: Colm O hEigeartaigh > Assignee: Jean-Baptiste Onofré > Priority: Major > Fix For: maven-bundle-plugin-4.2.2 > > > We should update the versions of maven-archiver + plexus-utils in the > maven-bundle-plugin to remove the CVEs: > plexus-archiver-2.8.1.jar > (pkg:maven/org.codehaus.plexus/plexus-archiver@2.8.1, > cpe:2.3:a:plexus-archiver_project:plexus-archiver:2.8.1:*:*:*:*:*:*:*) : > CVE-2018-1002200 > plexus-utils-3.0.10.jar (pkg:maven/org.codehaus.plexus/plexus-utils@3.0.10, > cpe:2.3:a:plexus-utils_project:plexus-utils:3.0.10:*:*:*:*:*:*:*) : > CVE-2017-1000487, Directory traversal in org.codehaus.plexus.util.Expand, > Possible XML Injection -- This message was sent by Atlassian Jira (v8.3.4#803005)