[TOMEE-4111] Upgrade bcel component in TomEE - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Dependency upgrade
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: 9.0.0.RC1, 8.0.13
Fix Version/s: 8.0.14, 9.0.0
Component/s: TomEE Core Server
Labels:
- CVE
- security

Description

Vulnerability Details
CVE-2022-42920

Affected Component(s): Apache Commons BCEL, commons-bcel
Vulnerability Published: 2022-11-07 08:15 EST
Vulnerability Updated: 2022-11-07 23:20 EST
CVSS Score: 9.8 (overall), 9.8 (base)

Summary: Apache Commons BCEL has a number of APIs that would normally only allow changing specific class characteristics. However, due to an out-of-bounds writing issue, these APIs can be used to produce arbitrary bytecode. This could be abused in applications that pass attacker-controllable data to those APIs, giving the attacker more control over the resulting bytecode than otherwise expected. Update to Apache Commons BCEL 6.6.0.

Solution: N/A

Workaround: N/A

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

tomee-8.x.txt
17/Nov/22 19:20
983 kB
Richard Zowalla

Issue Links

links to

GitHub Pull Request #979

GitHub Pull Request #980

Activity

People

Assignee:: Richard Zowalla

Reporter:: Nikhil

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 15/Nov/22 07:16

Updated:: 28/Nov/22 10:54

Resolved:: 28/Nov/22 10:54

Time Tracking

Estimated:

Not Specified

Remaining:

Logged:

40m