[
https://issues.apache.org/jira/browse/KARAF-7292?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Karthick updated KARAF-7292:
----------------------------
Summary: Karaf update needed for log4j stepup (was: Karaf update needed
for log4j update)
> Karaf update needed for log4j stepup
> ------------------------------------
>
> Key: KARAF-7292
> URL: https://issues.apache.org/jira/browse/KARAF-7292
> Project: Karaf
> Issue Type: Question
> Components: karaf
> Affects Versions: 4.3.2
> Reporter: Karthick
> Assignee: Jean-Baptiste Onofré
> Priority: Major
>
> The CVE-2021-26291 reports about maven version lesser than 3.8.1 is
> vulnerable to XRI attacks where malicious attacker can imitate a repository.
> Apache Karaf 4.3.2 includes pax-url-aether which packs Maven artifacts of
> version 3.6.x. So the CVE impacts Karaf 4.3.2. But does the issue specified
> in the CVE like maven pulling dependencies from remote directories really
> affect Karaf during runtime? Is it possible that a PoC has been done to
> validate this impact on Karaf?
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
