> It's not a bug - that advisory was just raised against a sample that CXF > ships with.
I know, unfortunately the dependency check reports it as soon as any CXF dependency is present (try mvn org.owasp:dependency-check-maven:check to reproduce). If failBuildOnCVSS is set, the build will fail unless you define a suppression for it. That's why I thought a comment might be useful for users that hit this CVE. Regards Dennis
