[ https://issues.apache.org/jira/browse/ARTEMIS-1483?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16222588#comment-16222588 ]
ASF subversion and git services commented on ARTEMIS-1483: ---------------------------------------------------------- Commit ba01bf70734a0aa6ad614b4dfc7a3401dfae3c39 in activemq-artemis's branch refs/heads/master from [~jbertram] [ https://git-wip-us.apache.org/repos/asf?p=activemq-artemis.git;h=ba01bf7 ] ARTEMIS-1483 upgrade beanutils > Upgrade beanutils > ----------------- > > Key: ARTEMIS-1483 > URL: https://issues.apache.org/jira/browse/ARTEMIS-1483 > Project: ActiveMQ Artemis > Issue Type: Bug > Affects Versions: 2.3.0 > Reporter: Mike Hearn > Assignee: Justin Bertram > Fix For: 2.4.0 > > > In ARTEMIS-309 the version of Apache Commons Collections was upgraded to > 3.2.2 however, this fix was not sufficient because ACC is also pulled in via > Apache BeanUtils. This is a potential problem because it is enough for the > bad library to anywhere on the classpath, so whether Artemis is vulnerable or > not may depend on the vagaries of classpath ordering (if both versions > somehow end up in the distribution by mistake). > BeanUtils has a 1.9.3 release where the dependency was upgraded to fix the > CVE. If Artemis upgrades to BeanUtils 1.9.3 the problem is resolved. > We noticed this in our project using the OWASP Dependency Scanner: > https://www.owasp.org/index.php/OWASP_Dependency_Check > It'd be a great thing for you guys to start using this wonderful plugin too. > The reports it generates are excellent. -- This message was sent by Atlassian JIRA (v6.4.14#64029)