[
https://issues.apache.org/jira/browse/TOMEE-4111?focusedWorklogId=829267&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-829267
]
ASF GitHub Bot logged work on TOMEE-4111:
-----------------------------------------
Author: ASF GitHub Bot
Created on: 28/Nov/22 10:54
Start Date: 28/Nov/22 10:54
Worklog Time Spent: 10m
Work Description: rzo1 merged PR #980:
URL: https://github.com/apache/tomee/pull/980
Issue Time Tracking
-------------------
Worklog Id: (was: 829267)
Time Spent: 40m (was: 0.5h)
> Upgrade bcel component in TomEE
> -------------------------------
>
> Key: TOMEE-4111
> URL: https://issues.apache.org/jira/browse/TOMEE-4111
> Project: TomEE
> Issue Type: Dependency upgrade
> Components: TomEE Core Server
> Affects Versions: 9.0.0.RC1, 8.0.13
> Reporter: Nikhil
> Priority: Major
> Labels: CVE, security
> Attachments: tomee-8.x.txt
>
> Time Spent: 40m
> Remaining Estimate: 0h
>
> Vulnerability Details
> CVE-2022-42920
> Affected Component(s): Apache Commons BCEL, commons-bcel
> Vulnerability Published: 2022-11-07 08:15 EST
> Vulnerability Updated: 2022-11-07 23:20 EST
> CVSS Score: 9.8 (overall), 9.8 (base)
> Summary: Apache Commons BCEL has a number of APIs that would normally only
> allow changing specific class characteristics. However, due to an
> out-of-bounds writing issue, these APIs can be used to produce arbitrary
> bytecode. This could be abused in applications that pass
> attacker-controllable data to those APIs, giving the attacker more control
> over the resulting bytecode than otherwise expected. Update to Apache Commons
> BCEL 6.6.0.
> Solution: N/A
> Workaround: N/A
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
