[
https://issues.apache.org/jira/browse/ARTEMIS-2363?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
clebert suconic reopened ARTEMIS-2363:
--------------------------------------
> spring-core-5.0.1.RELEASE.jar vulnerable to CVE-2018-15756
> ----------------------------------------------------------
>
> Key: ARTEMIS-2363
> URL: https://issues.apache.org/jira/browse/ARTEMIS-2363
> Project: ActiveMQ Artemis
> Issue Type: Wish
> Components: Broker
> Affects Versions: 2.8.1
> Reporter: Albert Baker
> Assignee: Justin Bertram
> Priority: Minor
> Labels: build, easyfix, security
> Fix For: 2.10.0
>
> Original Estimate: 2h
> Time Spent: 10m
> Remaining Estimate: 1h 50m
>
> Please upgrade the vulnerabile third party libraies that are used with Apache
> ActiveMQ Artimis
> Dependency CPE
> Highest Severity CVE Count CPE Confidence
> ----------------------------------|----------------------------------------------|--------------------|---------------|-----------------------
> spring-core-5.0.1.RELEASE.jar
> cpe:/a:springsource:spring_framework:5.0.1 High 8
> Highest
> https://nvd.nist.gov/vuln/detail/CVE-2018-15756
> Spring Framework, version 5.1, versions 5.0.x prior to 5.0.10, versions 4.3.x
> prior to 4.3.20, and older that depend on spring-boot-starter-web or
> spring-boot-starter-webflux are ready to serve static resources out of the
> box and are therefore vulnerable.
> Mitigation : Spring-core-5.0.1 is from Oct 2017, the latetst 5..1.7 is from
> May 2019
--
This message was sent by Atlassian Jira
(v8.3.2#803003)
