[ARTEMIS-2363] spring-core-5.0.1.RELEASE.jar vulnerable to CVE-2018-15756 - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Task
Status: Closed
Priority: Minor
Resolution: Fixed
Affects Version/s: 2.8.1
Fix Version/s: 2.10.0
Component/s: Broker
Labels:
- build
- easyfix
- security

Flags:

Important
External issue URL:
https://nvd.nist.gov/vuln/detail/CVE-2018-15756
External issue ID:
https://nvd.nist.gov/vuln/detail/CVE-2018-15756

Description

Please upgrade the vulnerabile third party libraies that are used with Apache ActiveMQ Artimis

Dependency CPE Highest Severity CVE Count CPE Confidence
---------------------------------|--------------------------------------------|------------------|-------------|----------------------

spring-core-5.0.1.RELEASE.jar cpe:/a:springsource:spring_framework:5.0.1 High 8 Highest
https://nvd.nist.gov/vuln/detail/CVE-2018-15756
Spring Framework, version 5.1, versions 5.0.x prior to 5.0.10, versions 4.3.x prior to 4.3.20, and older that depend on spring-boot-starter-web or spring-boot-starter-webflux are ready to serve static resources out of the box and are therefore vulnerable.

Mitigation : Spring-core-5.0.1 is from Oct 2017, the latetst 5..1.7 is from May 2019

Attachments

Issue Links

links to

GitHub Pull Request #2735

Activity

People

Assignee:: Justin Bertram

Reporter:: Albert Baker

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 29/May/19 19:39

Updated:: 26/Aug/19 19:03

Resolved:: 26/Aug/19 19:03

Time Tracking

Estimated:

Remaining:

1h 50m

Logged:

10m