[
https://issues.apache.org/jira/browse/ARTEMIS-3347?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17363528#comment-17363528
]
Robbie Gemmell commented on ARTEMIS-3347:
-----------------------------------------
An initial update was made in the following commit, but it misses some
explicitly set versions, and the web console pulling in an older version via
hawtio, so the general issue still remains:
[https://github.com/apache/activemq-artemis/commit/73bcc78beb58ad5a30a46c051955dbc9f17fb530]
There was also a newer commons-io release since then.
> update commons-io
> -----------------
>
> Key: ARTEMIS-3347
> URL: https://issues.apache.org/jira/browse/ARTEMIS-3347
> Project: ActiveMQ Artemis
> Issue Type: Dependency upgrade
> Components: Broker, Tests, Web Console
> Reporter: Robbie Gemmell
> Priority: Major
>
> The codebase uses various versions of commons-io which are susceptible to a
> path traversal CVE
> [https://nvd.nist.gov/vuln/detail/CVE-2021-29425|https://nvd.nist.gov/vuln/detail/CVE-2021-29425.],
> which affects < 2.7.0
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
