See https://issues.apache.org/jira/browse/DBCP-562 which is still open.
On Wed, 26 May 2021 at 10:29, Adesina Adebiyi <[email protected]> wrote: > > Good day, > > I am researching an issue raised by sonatype (sonatype-2020-1349) -- that > org.apache.commons:commons-dbcp2 has "information exposure" vulnerability, > that all versions, including version 2.8.0, are vulnerable. > > It appears that Gary's commit of Sep 21, 2020 (mask out name and password) > fixed the issue: > https://github.com/apache/commons-dbcp/blob/rel/commons-dbcp-2.8.0/RELEASE-NOTES.txt > > Yet Sonatype is claiming that version 2.8.0 is vulnerable to information > disclosure. Indeed, WhiteSource and Snyk.io are also reporting that > versions of Apache commons including 2.8.0 are vulnerable: > > WhiteSource > Upgrade Version : No fix version available > CVSS 3.1 > https://www.whitesourcesoftware.com/vulnerability-database/WS-2020-0287 > > Sonatype-2020-1349 > CVSS Vector:CVSS:3.1 The Apache Commons DBCP packages are vulnerable to > Insufficiently Protected Credential > The application is vulnerable by using this component > > Snyk.io > https://snyk.io/vuln/maven:org.apache.commons%3Acommons-dbcp2 > All versions vulnerable to Information exposure including the latest > published 21 Sep, 2020 org.apache.commons:commons-dbcp2 2.8.0 > > Was Gary's commit never released? Or did Gary's released commit fix the > issue and somehow Sonatype, Snyk.io, and WhiteSource are incorrectly > reporting commons-dbcp2 version 2.8.0 as vulnerable to Information Exposure? > > Thanks for your prompt response. > > Regards. > > Adesina > > > > Regards, > > Adesina --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
