[
https://issues.apache.org/jira/browse/ARTEMIS-2413?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17339620#comment-17339620
]
Franck Valentin edited comment on ARTEMIS-2413 at 5/5/21, 12:02 PM:
--------------------------------------------------------------------
Note that there is another critical vulnerability
[CVE-2016-2141|https://nvd.nist.gov/vuln/detail/CVE-2016-2141] for JGroups
<4.0.0
was (Author: [email protected]):
Note that there is another critical vulnerability [
CVE-2016-2141|https://nvd.nist.gov/vuln/detail/CVE-2016-2141] for JGroups <4.0.0
> Upgrade JGroups
> ---------------
>
> Key: ARTEMIS-2413
> URL: https://issues.apache.org/jira/browse/ARTEMIS-2413
> Project: ActiveMQ Artemis
> Issue Type: Task
> Affects Versions: 2.6.4
> Reporter: Endre Jeges
> Priority: Major
>
> I have noticed with the OWASP dependency-check plugin
> (org.owasp:dependency-check-maven:5.0.0) that the currently used
> org.jgroups:jgroups:3.6.13.Final has a [CWE-300: Channel Accessible by
> Non-Endpoint
> ('Man-in-the-Middle')|https://ossindex.sonatype.org/vuln/7c83fdab-9665-4e79-bc81-cc67fbb96417]
> vulnerability. The problem has not been reported in the NVD database,
> therefore there is no CVE record.
> The vulnerability has been
> [addressed|https://github.com/belaban/JGroups/pull/348] in version
> org.jgroups:jgroups:4.0.2.Final (at the moment the latest version is
> org.jgroups:jgroups:4.1.1.Final).
> The org.jgroups:jgroups dependency would require an upgrade to resolve the
> vulnerability.
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
