Uploaded image for project: 'Maven Dependency Plugin'
  1. Maven Dependency Plugin
  2. MDEP-531

MDP 2.10 depends on a known insecure library commons-collections:3.2.1

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 2.10
    • Fix Version/s: 3.0.0
    • Component/s: None
    • Labels:
      None

      Description

      org.apache.maven.plugins:maven-dependency-plugin:2.10 has the following dependency:

          <dependency>
            <groupId>commons-collections</groupId>
            <artifactId>commons-collections</artifactId>
            <version>3.2.1</version>
          </dependency>
      

      This version of commons-collections has a known severe security vulnerability:

      https://www.kb.cert.org/vuls/id/576313
      https://commons.apache.org/proper/commons-collections/security-reports.html

      Please upgrade to a newer version of commons-collections as the insecure version is blocked for my usage.

        Attachments

          Activity

            People

            • Assignee:
              schulte77 Christian Schulte
              Reporter:
              paulmfarrar Paul Farrar
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: