[
https://issues.apache.org/jira/browse/CAMEL-13169?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16763100#comment-16763100
]
Abraham Ciokler commented on CAMEL-13169:
-----------------------------------------
[~davsclaus] I understand there's a workaround, but that doesn't make this a
minor issue. The reason my team found out about this issue is because a
vulnerability scanning tool detected it. Those who don't have such tools will
unsuspectedly expose a security vulnerability in their application by the using
camel-quartz2 library. I consider this a major issue and I think it should be
fixed sooner than later. Regards.
> c3p0 dependent version (0.9.5.2) has a security vulnerability (CVE-2018-20433)
> ------------------------------------------------------------------------------
>
> Key: CAMEL-13169
> URL: https://issues.apache.org/jira/browse/CAMEL-13169
> Project: Camel
> Issue Type: Task
> Components: camel-quartz2
> Affects Versions: 2.23.1
> Reporter: Abraham Ciokler
> Assignee: Andrea Cosentino
> Priority: Minor
> Fix For: 3.0.0, 2.23.2, 2.24.0, 2.22.4
>
>
> camel-quartz2 latest version (2.23.1) has a dependency on c3p0 version
> 0.9.5.2 and that version has a security vulnerability (CVE-2018-20433)
> source: https://nvd.nist.gov/vuln/detail/CVE-2018-20433
> The issue seems to be resolved by updating the dependency of c3p0 to 0.9.5.3.
> Please, update the camel-quartz2 to use newest version of c3p0 (0.9.5.3 at
> the time of writing this).
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
