[jira] [Commented] (SLING-9928) Sling el-api embeds vulnerable version of el-api

Akanksha Jain (Jira) Mon, 23 Nov 2020 22:58:36 -0800


    [ 
https://issues.apache.org/jira/browse/SLING-9928?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17237905#comment-17237905
 ]


Akanksha Jain commented on SLING-9928:
--------------------------------------

As per [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7810] the 
vulnerability is fixed in versions greater than 6.0.44 of el-api.

I have updated el-api version to the latest i.e. 6.0.53 in the below PR.

PR: [https://github.com/apache/sling-org-apache-sling-scripting-el-api/pull/2]

[~cziegeler]: please review the PR and if everything looks fine, merge it to 
master.

 

 

> Sling el-api embeds vulnerable version of el-api
> ------------------------------------------------
>
>                 Key: SLING-9928
>                 URL: https://issues.apache.org/jira/browse/SLING-9928
>             Project: Sling
>          Issue Type: Bug
>          Components: Scripting
>            Reporter: Akanksha Jain
>            Priority: Major
>          Time Spent: 20m
>  Remaining Estimate: 0h
>
> *Issue summary :* Security issues reported under org.apache.tomcat
> *Vulnerabilities*
> CVE-2014-7810 5.0 org.apache.tomcat : el-api : 6.0.14
> [https://nvd.nist.gov/vuln/detail/CVE-2014-7810]
> el-api-6.0.14 is embedded by org.apache.sling.scripting.el-api.
> Expected: Need to update el-api version in org.apache.sling.scripting.el-api.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Commented] (SLING-9928) Sling el-api embeds vulnerable version of el-api

Reply via email to