Hi Team,
In our product, we are using Apache CXF Runtime WS Security
(cxf-rt-ws-security) v3.5.5.
It having transitive dependency on Guava. Mentioned in yellow below.
Apache CXF Runtime WS Security (3.5.5)
Apache WSS4J DOM WS Security (2.4.1)
Apache WSS4J WS Security Common (2.4.1)
guava(30.1-jre)
For Guava, we have observed two vulnerabilities
(CVE-2023-2976<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2976>,
CVE-2020-8908<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8908>)
Fix of these vulnerabilities are not available on Apache CXF 3.x.
As product is on JAVA 8, hence fix will be required on Apache CXF 3.x only.
Kindly let us know by when fix will be provided on 3.x version.
Thanks
Ashish Verma
