Hello Axis2 developers, Looking at the top level pom where we have the dependency on tomcat tribes I see that the latest version is in use, 6.0.53. This version was released April 2017. However, looking at where this is in a typical maven repo, at https://mvnrepository.com/artifact/org.apache.tomcat/tribes, I see that the artifact has relocated. It has changed from org.apache.tomcat to tomcat-tribes. Nipping over to the new place at https://mvnrepository.com/artifact/org.apache.tomcat/tomcat-tribes I see there has been more development and the latest release is 10.0.2, release date Feb 2021.
CVE-2020-8022 applies to tomcat 6.0.53 which has a score of 8.4 high from NIST. The NIST report says this is still undergoing analysis so it is unclear what version, if any, it is fixed in. However, surely the best thing to do in order to close the vulnerability is to move to the latest version, 10.0.2. I know this has a CVE as well, CVE-2021-25329, but that has only very recently been filed. I'm sure that there will be a version after 10.0.2 that addresses it. What do people think about moving over to version 10.0.2 please? -- Regards, Andrew Marlow http://www.andrewpetermarlow.co.uk
