Dear Colleagues, As per https://bugzilla.redhat.com/show_bug.cgi?id=1886587, http.client librarires below version 4.5.13 have the vulnerability CVE-2020-13956 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13956).
As Karaf 4.2.x rebundles http.client (4.5.6) classes as seen at https://github.com/apache/karaf/blob/karaf-4.2.10/jaas/modules/pom.xml#L180. This makes it vulnerable and hence our security scans are detecting it as a vulnerable library. I created the the PR https://github.com/apache/karaf/pull/1243 to update httpclient.version to 4.5.13. Please take a look at it whenever it is possible and include it in the upcoming release of Karaf 4.2.x if it fits good. Kind regards, [cid:image001.png@01D6A799.4A120C60] Sachin Pattan The Tools Team WDF07 X1.65
