[
https://issues.apache.org/jira/browse/KARAF-7888?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Sadeesh updated KARAF-7888:
---------------------------
Description:
We use Karaf 4.4.6 that packs the below 3PPs and affected by CVEs.
woodstox-core-6.2.8.jar --> CVE-2022-40152{*}{*}
xnio-api-3.8.11.Final.jar --> CVE-2023-5685
snakeyaml-1.33.jar --> CVE-2022-1471
undertow-core-2.2.31.Final.jar --> CVE-2023-1973, CVE-2024-6162, CVE-2024-5971
& CVE-2024-7885
undertow-servlet-2.2.31.Final.jar --> CVE-2023-1973
Please bump up to newer version that solves the vulnerability.
> Stepup snakeyaml, undertow, xnio and woodstox to solve CVEs
> ------------------------------------------------------------
>
> Key: KARAF-7888
> URL: https://issues.apache.org/jira/browse/KARAF-7888
> Project: Karaf
> Issue Type: Dependency upgrade
> Components: karaf
> Affects Versions: 4.4.6
> Environment: Linux
> Reporter: Sadeesh
> Priority: Major
> Labels: dependency-upgrade, security
>
> We use Karaf 4.4.6 that packs the below 3PPs and affected by CVEs.
> woodstox-core-6.2.8.jar --> CVE-2022-40152{*}{*}
> xnio-api-3.8.11.Final.jar --> CVE-2023-5685
> snakeyaml-1.33.jar --> CVE-2022-1471
> undertow-core-2.2.31.Final.jar --> CVE-2023-1973, CVE-2024-6162,
> CVE-2024-5971 & CVE-2024-7885
> undertow-servlet-2.2.31.Final.jar --> CVE-2023-1973
> Please bump up to newer version that solves the vulnerability.
>
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
