Uploaded image for project: 'WSS4J'
  1. WSS4J
  2. WSS-683

WSS4J depends on Velocity 1.7 which contains a security vulnerability (CVE-2020-13936)

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Open
    • Major
    • Resolution: Unresolved
    • 2.3.1
    • None
    • WSS4J Core

    Description

      WSS4J has a transitive dependency on velocity 1.7 (via OpenSAML 3.x) which is subject to a high security vulnerability ( https://nvd.nist.gov/vuln/detail/CVE-2020-13936 )

      WSS4J should update its OpenSAML dependency to 4.x thereby allowing velocity-core-engine to be updated to the patched version (2.3)

      Attachments

        1. WSS_Sample.zip
          80 kB
          Nick Monkman

        Issue Links

          relates to

          Task - A task that needs to be done. CXF-8621 cxf-rt-ws-security contains velocity:1.7 from 2010 which has overlapping classes with velocity-engine-core:2.3 and breaks velocity-tools 3.1

          • Major - Major loss of function.
          • Closed

          Activity

            People

              coheigea Colm O hEigeartaigh
              kraberus Nick Monkman
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated: