Erwin Dondorp created ARTEMIS-4330:
--------------------------------------
Summary: Upgrade JGroups
Key: ARTEMIS-4330
URL: https://issues.apache.org/jira/browse/ARTEMIS-4330
Project: ActiveMQ Artemis
Issue Type: Dependency upgrade
Affects Versions: 2.6.4
Reporter: Erwin Dondorp
Assignee: Justin Bertram
Fix For: 2.21.0
I have noticed with the OWASP dependency-check plugin
(org.owasp:dependency-check-maven:5.0.0) that the currently used
org.jgroups:jgroups:3.6.13.Final has a [CWE-300: Channel Accessible by
Non-Endpoint
('Man-in-the-Middle')|https://ossindex.sonatype.org/vuln/7c83fdab-9665-4e79-bc81-cc67fbb96417]
vulnerability. The problem has not been reported in the NVD database,
therefore there is no CVE record.
The vulnerability has been
[addressed|https://github.com/belaban/JGroups/pull/348] in version
org.jgroups:jgroups:4.0.2.Final (at the moment the latest version is
org.jgroups:jgroups:4.1.1.Final).
The org.jgroups:jgroups dependency would require an upgrade to resolve the
vulnerability.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
