[AXIS2-6067] CVE with dependency jars of axis2 - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Critical
Resolution: Fixed
Affects Version/s: 1.8.2
Fix Version/s: 2.0.0
Component/s: codegen, json, kernel
Labels:
None

Description

Per sonatype Repository SBOM Report, the following CVEs affect packages in the current latest axis2 version 1.8.2 and should be patched ASAP:

Issue - CVE-2022-40152 -

Source
[INFO] org.apache.axis2:axis2-webapp:war:1.8.2
[INFO] +- org.apache.axis2:axis2-jibx:jar:1.8.2:compile
[INFO] | +- org.apache.axis2:axis2-kernel:jar:1.8.2:compile
[INFO] | | +- org.apache.ws.commons.axiom:axiom-impl:jar:1.4.0:runtime
[INFO] | | | - com.fasterxml.woodstox:woodstox-core:jar:6.2.8:runtime

Issue - CVE-2023-3635

Source
[INFO] | +- org.apache.axis2:axis2-json:jar:1.8.2:compile
[INFO] | +- org.codehaus.jettison:jettison:jar:1.5.0:compile
[INFO] | +- org.owasp.encoder:encoder:jar:1.2.3:compile
[INFO] | +- com.google.code.gson:gson:jar:2.9.0:compile
[INFO] | +- com.squareup.moshi:moshi:jar:1.13.0:compile
[INFO] | | +- com.squareup.okio:okio:jar:2.10.0:compile

Issue - CVE-2023-2976

Source
[INFO] +- org.apache.axis2:axis2-codegen:jar:1.8.2:compile
[INFO] | +- com.google.googlejavaformat:google-java-format:jar:1.7:compile
[INFO] | | +- com.google.guava:guava:jar:31.1-jre:compile

Attachments

Activity

People

Assignee:: Unassigned

Reporter:: Ajay

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 01/May/24 09:50

Updated:: 27/Oct/24 18:43

Resolved:: 27/Oct/24 18:43