[jira] [Resolved] (TIKA-3052) [Dependency] Unsafe Dependancy Resolution in com.beust:jcommander 1.35

Mon, 24 Feb 2020 10:54:01 -0800 


     [ 
https://issues.apache.org/jira/browse/TIKA-3052?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Tim Allison resolved TIKA-3052.
-------------------------------
    Fix Version/s: 1.24
         Assignee: Tim Allison
       Resolution: Fixed

> [Dependency] Unsafe Dependancy Resolution in com.beust:jcommander 1.35
> ----------------------------------------------------------------------
>
>                 Key: TIKA-3052
>                 URL: https://issues.apache.org/jira/browse/TIKA-3052
>             Project: Tika
>          Issue Type: Bug
>    Affects Versions: 1.23
>            Reporter: Michael Moritz
>            Assignee: Tim Allison
>            Priority: Major
>             Fix For: 1.24
>
>
> This issue has been created automatically by a source code scanner
> ## Third party component with known security vulnerabilities
> ent-search-master/script/vendor_jars > Jars.lock > com.beust:[email protected]
> ## Overview
> [com.beust:jcommander](https://github.com/cbeust/jcommander) is a Command 
> line parsing framework for Java.
> Affected versions of this package are vulnerable to Unsafe Dependancy 
> Resolution
> due to resolving dependencies over an insecure channel (http).
> If the build occurred over an insecure connection, a malicious user could 
> have perform a Man-in-the-Middle attack during the build and alter the build 
> artifacts that were produced.
> In case that any of these artifacts were compromised, any developers using 
> these could be altered.
>  
> **Note:** In order to validate that this artifact was not compromised, the 
> maintainer would need to confirm that none of the artifacts published to the 
> registry were not altered with. Until this happens, we can not guarantee that 
> this artifact was not compromised even though the probability that this 
> happened is low. 
> We have chosen to alert on this issue when maintainers either decided to 
> issue CVEs themselves, or in cases when maintainers decided against 
> performing audits on there build to verify they had not been compromised.
> ## Remediation
> Upgrade `com.beust:jcommander` to version 1.75 or higher.
> ## References
> - [GitHub 
> Commit](https://github.com/cbeust/jcommander/commit/3ae95595febbed9c13f367b6bda5c0be1c572c53)
> - [GitHub Issue](https://github.com/cbeust/jcommander/issues/465)
> - [Jonathan Leitschuh's 
> Blog](https://medium.com/@jonathan.leitschuh/1fc329d898fb)
> - [SNYK-JAVA-COMBEUST-174815](https://snyk.io/vuln/SNYK-JAVA-COMBEUST-174815)



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to