I hope to have a release candidate for 2.9.0 this week that no longer publishes the password via JMX.
Gary On Wed, May 26, 2021, 11:09 Adesina Adebiyi <[email protected]> wrote: > Good day, > > I trust this my enquiry will find you well. > > I am researching an issue raised by sonatype (sonatype-2020-1349). > > It looks like Gary Gregory's commit of Sep 21, 2020 fixed the issue: > > https://github.com/apache/commons-dbcp/commit/a4c5af0da1de3a7f50c72fc7edaa1f653ca276dd > < > https://protect2.fireeye.com/v1/url?k=ea4de5de-b5d6dd37-ea4dcf08-86e0458f6361-dc5811fcd881880c&q=1&e=1dd5d6d0-ae23-4de5-8527-a3ee712dba7b&u=https%3A%2F%2Fgithub.com%2Fapache%2Fcommons-dbcp%2Fcommit%2Fa4c5af0da1de3a7f50c72fc7edaa1f653ca276dd > > > > Yet, Sonatype is still claiming that version 2.8.0 is vulnerable. Indeed, > WhiteSource and Snyk.io are also claiming that all versions of the Apache > commons dbcp including version 2.8.0 are vulnerable: > > WhiteSource > Upgrade Version > No fix version available > CVSS v3.1 > https://www.whitesourcesoftware.com/vulnerability-database/WS-2020-0287 > > > sonatype-2020-1349 > CVSS Vector:CVSS:3.1 > The Apache Commons DBCP packages are vulnerable to Insufficiently Protected > Credentials. > The application is vulnerable by using this componen > > > https://snyk.io/vuln/maven:org.apache.commons%3Acommons-dbcp2 > Vulnerability: Information Exposure Vulnerable versions [0,] > org.apache.commons:commons-dbcp2 2.8.0 Published 21 Sep, 2020 > > I would really appreciate your help and insight on this: Was Gary's commit > never released? Or could it be that WhiteSource, Sonatype, and Snyk.io are > all reporting this incorrectly since Gary's "released" commit already fixed > the issue. > > Thank you in advance for your prompt response. And stay safe as we > continue to emerge from the Covid-19 public health concerns. > > Regards, > > Adesina > > -- > This message contains proprietary information from Equifax which may be > confidential. If you are not an intended recipient, please refrain from > any > disclosure, copying, distribution or use of this information and note that > such actions are prohibited. If you have received this transmission in > error, please notify by e-mail [email protected] > <mailto:[email protected]>. > > > Equifax® is a registered trademark of > Equifax Inc. All rights reserved. >
