[jira] [Commented] (SLING-11124) Remove Guava Dependency for CVE CVE-2018-10237 and CVE-2020-8908

Julian Reschke (Jira) Thu, 31 Oct 2024 04:07:30 -0700


    [ 
https://issues.apache.org/jira/browse/SLING-11124?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17894534#comment-17894534
 ]


Julian Reschke commented on SLING-11124:
----------------------------------------

Note: the actual removal happened in:

https://github.com/apache/sling-org-apache-sling-testing-clients/commit/c10061729ae8f09c29e807c046289b8993c229d6



> Remove Guava Dependency for CVE CVE-2018-10237 and CVE-2020-8908
> ----------------------------------------------------------------
>
>                 Key: SLING-11124
>                 URL: https://issues.apache.org/jira/browse/SLING-11124
>             Project: Sling
>          Issue Type: Task
>          Components: Apache Sling Testing Clients
>    Affects Versions: Apache Sling Testing Clients 3.0.10
>            Reporter: Andrei Tuicu
>            Assignee: Andrei Dulvac
>            Priority: Major
>             Fix For: Apache Sling Testing Clients 3.0.10
>
>          Time Spent: 1.5h
>  Remaining Estimate: 0h
>
> Sling testing clients are using com.google.guava guava 14.0.1 which is 
> vulnerable to CVE-2018-10237(MEDIUM) [1] and CVE-2020-8908(LOW) [2].
> Mitigation: remove the guava dependency.
> [1] https://www.cvedetails.com/cve/CVE-2018-10237/
> [2] https://www.cvedetails.com/cve/CVE-2020-8908/



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Commented] (SLING-11124) Remove Guava Dependency for CVE CVE-2018-10237 and CVE-2020-8908

Reply via email to