Uploaded image for project: 'Apache Taverna'
  1. Apache Taverna
  2. TAVERNA-934

Security fix: Upgrade Commons Collections

    Details

    • Flags:
      Important

      Description

      As raised by Glenn Lewis in
      https://github.com/apache/incubator-taverna-server/pull/1
      we use a Commons Collections 3.2.1 which has a CVSS 10.0 remote code execution vulnerability.

      This affects anyone who has Commons Collection on the classpath - basically through Maven dependencies at would mean also anyone who has the Taverna SCUFL2 API on the classpath.

      This does not affect just Taverna Server - but also indirectly as Commons Collection is also a transitive dependency, e.g. from commons-beanutils:

      [INFO] +- commons-beanutils:commons-beanutils:jar:1.9.2:test
      [INFO] |  +- commons-logging:commons-logging:jar:1.1.1:compile
      [INFO] |  \- commons-collections:commons-collections:jar:3.2.1:test
      

      Thus we should update taverna-maven-parent - perhaps to have a <dependencyManagement> section - to force a newer version of commons-collections across the board.

        Attachments

          Activity

            People

            • Assignee:
              stain Stian Soiland-Reyes
              Reporter:
              stain Stian Soiland-Reyes
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: