[
https://issues.apache.org/jira/browse/SLING-11162?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Angela Schreiber resolved SLING-11162.
--------------------------------------
Resolution: Incomplete
> Vulnerabilities stopping us from procuring these libs
> -----------------------------------------------------
>
> Key: SLING-11162
> URL: https://issues.apache.org/jira/browse/SLING-11162
> Project: Sling
> Issue Type: Bug
> Components: XSS Protection API
> Reporter: Mahidhar Chaluvadi
> Priority: Major
>
> Today we wanted to use latest version of WCM IO Mocks for AEM JUnit Testing,
> and our organization denied our request stating there are vulnerabilities in
> the dependency chain, and here are the details. Wondering if there is a way
> to revise the version including necessary fixes. We are okay to contribute
> back to the respective git repo with the required guidance so we dont violate
> any standards you may have.
> Dependency: MAVEN -
> org.apache.sling:org.apache.sling.resourcebuilder:1.0.4:jar
> RejectReasons (2)
> RejectReason: 2057e68c-41f8-4f57-80fe-54278d93e422
> Type: VULNERABILITY
> Name: CVE-2016-0956
> CVSS Score v2: 7.8
> Severity: high
> Description: The Servlets Post component 2.3.6 in Apache Sling,
> as used in Adobe Experience Manager 5.6.1, 6.0.0, and 6.1.0, allows remote
> attackers to obtain sensitive information via unspecified vectors.
> RejectReason: 51205845-93e2-4d67-8289-afe4ee35cd65
> Type: VULNERABILITY
> Name: CVE-2016-6798
> CVSS Score v2: 7.5
> Severity: high
> Description: In the XSS Protection API module before 1.0.12 in
> Apache Sling, the method XSS.getValidXML() uses an insecure SAX parser to
> validate the input string, which allows for XXE attacks in all scripts which
> use this method to validate user input, potentially allowing an attacker to
> read sensitive data on the filesystem, perform same-site-request-forgery
> (SSRF), port-scanning behind the firewall or DoS the application.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
