[
https://issues.apache.org/jira/browse/TOMEE-2908?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17331972#comment-17331972
]
Jayaprakash commented on TOMEE-2908:
------------------------------------
[~rzo1],
Thanks a lot for the quick response. Is there any planned release date for the
7.0.10 version?
> TomEE plus is affected by CVE-2020-7226 (BDSA-2020-2333) vulnerability
> ----------------------------------------------------------------------
>
> Key: TOMEE-2908
> URL: https://issues.apache.org/jira/browse/TOMEE-2908
> Project: TomEE
> Issue Type: Bug
> Reporter: Pardeep Kumar
> Assignee: Jonathan Gallimore
> Priority: Major
>
> TomEE plus version is using the *cryptacular-1.0.jar* which is affected by
> vulnerability CVE-2020-7226 (BDSA-2020-2333) with a CVSS score of 6.5 which
> causes denial-of-service (DoS) due to the mismanagement of system memory
> resources.
> *Issue:* _CiphertextHeader.java_ in Cryptacular 1.2.3, as used in Apereo CAS
> and other products, allows attackers to trigger excessive memory allocation
> during a decode operation, because the nonce array length associated with
> "new byte" may depend on untrusted input within the header of encoded data.
>
> Please confirm if this vulnerability impacts version 7.0.7, 7.0.8, 7.1.2, and
> 7.1.3?
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
