Details
-
Bug
-
Status: Closed
-
Major
-
Resolution: Fixed
-
maven-bundle-plugin-3.2.0
-
None
Description
maven-bundle-plugin includes org.apache.maven:maven-archiver 2.5 as a compile dependency.
This version of maven-archiver uses org.codehaus.plexus:plexus-archiver v2.1. which has level 5 threat CVE-2012-2098.
The CVE mentions "sorting algorithms in bzip2 compressing stream" in context of Apache Commons Compress, but here is one defect reference that confirms that the threat applies to plexus-archiver versions prior to 2.3.1
Thus, upgrade Bundle Plugin usage of maven-archiver to 2.6 (which uses plexus-archiver 2.8.1) or later in order to mitigate the threat,
Current release of maven-archiver is 3.1.1
Attachments
Issue Links
- links to