Michael Moritz created TIKA-3052:
------------------------------------
Summary: Unsafe Dependancy Resolution in com.beust:jcommander 1.35
Key: TIKA-3052
URL: https://issues.apache.org/jira/browse/TIKA-3052
Project: Tika
Issue Type: Bug
Affects Versions: 1.23
Reporter: Michael Moritz
This issue has been created automatically by a source code scanner
## Third party component with known security vulnerabilities
ent-search-master/script/vendor_jars > Jars.lock > com.beust:[email protected]
## Overview
[com.beust:jcommander](https://github.com/cbeust/jcommander) is a Command line
parsing framework for Java.
Affected versions of this package are vulnerable to Unsafe Dependancy Resolution
due to resolving dependencies over an insecure channel (http).
If the build occurred over an insecure connection, a malicious user could have
perform a Man-in-the-Middle attack during the build and alter the build
artifacts that were produced.
In case that any of these artifacts were compromised, any developers using
these could be altered.
**Note:** In order to validate that this artifact was not compromised, the
maintainer would need to confirm that none of the artifacts published to the
registry were not altered with. Until this happens, we can not guarantee that
this artifact was not compromised even though the probability that this
happened is low.
We have chosen to alert on this issue when maintainers either decided to issue
CVEs themselves, or in cases when maintainers decided against performing audits
on there build to verify they had not been compromised.
## Remediation
Upgrade `com.beust:jcommander` to version 1.75 or higher.
## References
- [GitHub
Commit](https://github.com/cbeust/jcommander/commit/3ae95595febbed9c13f367b6bda5c0be1c572c53)
- [GitHub Issue](https://github.com/cbeust/jcommander/issues/465)
- [Jonathan Leitschuh's
Blog](https://medium.com/@jonathan.leitschuh/1fc329d898fb)
- [SNYK-JAVA-COMBEUST-174815](https://snyk.io/vuln/SNYK-JAVA-COMBEUST-174815)
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
