Good day, I am researching an issue raised by sonatype (sonatype-2020-1349) -- that org.apache.commons:commons-dbcp2 has "information exposure" vulnerability, that all versions, including version 2.8.0, are vulnerable.
It appears that Gary's commit of Sep 21, 2020 (mask out name and password) fixed the issue: https://github.com/apache/commons-dbcp/blob/rel/commons-dbcp-2.8.0/RELEASE-NOTES.txt Yet Sonatype is claiming that version 2.8.0 is vulnerable to information disclosure. Indeed, WhiteSource and Snyk.io are also reporting that versions of Apache commons including 2.8.0 are vulnerable: WhiteSource Upgrade Version : No fix version available CVSS 3.1 https://www.whitesourcesoftware.com/vulnerability-database/WS-2020-0287 Sonatype-2020-1349 CVSS Vector:CVSS:3.1 The Apache Commons DBCP packages are vulnerable to Insufficiently Protected Credential The application is vulnerable by using this component Snyk.io https://snyk.io/vuln/maven:org.apache.commons%3Acommons-dbcp2 All versions vulnerable to Information exposure including the latest published 21 Sep, 2020 org.apache.commons:commons-dbcp2 2.8.0 Was Gary's commit never released? Or did Gary's released commit fix the issue and somehow Sonatype, Snyk.io, and WhiteSource are incorrectly reporting commons-dbcp2 version 2.8.0 as vulnerable to Information Exposure? Thanks for your prompt response. Regards. Adesina Regards, Adesina
