Karthick created KARAF-7292:
-------------------------------
Summary: Karaf update needed for log4j update
Key: KARAF-7292
URL: https://issues.apache.org/jira/browse/KARAF-7292
Project: Karaf
Issue Type: Question
Components: karaf
Affects Versions: 4.3.2
Reporter: Karthick
Assignee: Jean-Baptiste Onofré
The CVE-2021-26291 reports about maven version lesser than 3.8.1 is vulnerable
to XRI attacks where malicious attacker can imitate a repository. Apache Karaf
4.3.2 includes pax-url-aether which packs Maven artifacts of version 3.6.x. So
the CVE impacts Karaf 4.3.2. But does the issue specified in the CVE like maven
pulling dependencies from remote directories really affect Karaf during
runtime? Is it possible that a PoC has been done to validate this impact on
Karaf?
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
