Re: Security vulnerabilities in BlazeDS 4.7.2

Hi Oleg, it seems these issues are not related to BlazeDS ... the flex-messaging-opt-tomcat7-4.7.2.jar for example contains only one class. The CVEs reported by that tool seem to all be related to tomcat. We can’t do much about that. Also as far ar I know there aren’t any CVEs in any of the

Re: Security vulnerabilities in BlazeDS 4.7.2

Actually, with BlazeDS 4.01blazeds-core-4.0.0.14931.jar there was only 1 vulnerable file and 1 High and 1 medium vulnerability. CVE-2011-2092 suppress Severity: High CVSS Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C) CWE: CWE-20 Improper Input Validation Adobe LiveCycle Data Services 3.1

Re: Security vulnerabilities in BlazeDS 4.7.2

As a user I would expect something like: and force users to understand and provide this pattern explicitly in production deployment On Mon, Nov 21, 2016 at 10:50 AM, olegkon wrote: > Hi, > > We are in the process of upgrading BlazeDS in Flex+Java web

Security vulnerabilities in BlazeDS 4.7.2

Hi, We are in the process of upgrading BlazeDS in Flex+Java web app, because when we run OWASP Dependency Check 1.4.3, it showed a High Vulnerabilities in 1 file: Dependency CPE GAV Highest Severity CVE Count CPE Confidence Evidence Count cre.war: blazeds-core-4.0.0.14931.jar