[
https://issues.apache.org/jira/browse/GERONIMO-6814?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17387848#comment-17387848
]
Romain Manni-Bucau commented on GERONIMO-6814:
----------------------------------------------
Hi,
AFAIK these vulnerabilities are related to the server and not spec jar but cve
scanner mix it due to the groupid so looks like a false positive to me.
> Improve Geronimo specs to mitigate CVE-2011-5034
> ------------------------------------------------
>
> Key: GERONIMO-6814
> URL: https://issues.apache.org/jira/browse/GERONIMO-6814
> Project: Geronimo
> Issue Type: Bug
> Security Level: public(Regular issues)
> Components: geronimo-maven-plugin
> Affects Versions: 1.1.1
> Reporter: Karthick
> Priority: Major
>
> Hi,
>
> By default Apache Karaf 4.3.2 ([Maven Repository: org.apache.karaf »
> apache-karaf » 4.3.2
> (mvnrepository.com)|https://mvnrepository.com/artifact/org.apache.karaf/apache-karaf/4.3.2]
> packs jms_geronimo_1.1_spec 1.1.1 version which when scanned through
> security tools like Jfrog XRay and Anchore reports CVE-2011-5034 ([NVD -
> CVE-2011-5034 (nist.gov)|https://nvd.nist.gov/vuln/detail/CVE-2011-5034] )
> However, there seems to be no later version of geronimo where this CVE is
> fixed.It has been 10 years since this CVE is created and no fix seen yet. Do
> you have analysis on whether this CVE really affects geronimo specs or any
> plan to provide next version?
> There
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
