hello,

That ticket is closed. I've just done an owasp check on the latest github
clone, what will become 1.8.0, and it reveals the following:

axis2-ant-plugin-1.8.0-SNAPSHOT.jar
(pkg:maven/org.apache.axis2/axis2-ant-plugin@1.8.0-SNAPSHOT,
cpe:2.3:a:apache:ant:1.8.0:*:*:*:*:*:*:*,
cpe:2.3:a:apache:axis2:1.8.0:*:*:*:*:*:*:*) : CVE-2020-1945
axis2.war: taglibs-standard-impl-1.2.5.jar
(pkg:maven/org.apache.taglibs/taglibs-standard-impl@1.2.5,
cpe:2.3:a:apache:standard_taglibs:1.2.5:*:*:*:*:*:*:*,
cpe:2.3:a:tag_project:tag:1.2.5:*:*:*:*:*:*:*) : CVE-2020-29242,
CVE-2020-29243, CVE-2020-29244, CVE-2020-29245
axis2-xmlbeans-1.8.0-SNAPSHOT.jar
(pkg:maven/org.apache.axis2/axis2-xmlbeans@1.8.0-SNAPSHOT,
cpe:2.3:a:apache:axis2:1.8.0:*:*:*:*:*:*:*,
cpe:2.3:a:apache:xmlbeans:1.8.0:*:*:*:*:*:*:*) : CVE-2021-23926
axis2-xmlbeans-codegen-1.8.0-SNAPSHOT.jar
(pkg:maven/org.apache.axis2/axis2-xmlbeans-codegen@1.8.0-SNAPSHOT,
cpe:2.3:a:apache:axis2:1.8.0:*:*:*:*:*:*:*,
cpe:2.3:a:apache:xmlbeans:1.8.0:*:*:*:*:*:*:*) : CVE-2021-23926
commons-httpclient-3.1.jar
(pkg:maven/commons-httpclient/commons-httpclient@3.1,
cpe:2.3:a:apache:commons-httpclient:3.1:*:*:*:*:*:*:*,
cpe:2.3:a:apache:httpclient:3.1:*:*:*:*:*:*:*) : CVE-2020-13956
failureaccess-1.0.1.jar (pkg:maven/com.google.guava/failureaccess@1.0.1,
cpe:2.3:a:google:guava:1.0.1:*:*:*:*:*:*:*) : CVE-2020-8908
org.eclipse.ui.ide-3.17.100.v20200530-0835.jar
(pkg:maven/osgi.bundle/org.eclipse.ui.ide@3.17.100.v20200530-0835,
cpe:2.3:a:eclipse:eclipse_ide:3.17.100.v20200530.0835:*:*:*:*:*:*:*,
cpe:2.3:a:eclipse:ide:3.17.100.v20200530.0835:*:*:*:*:*:*:*) : CVE-2008-7271
org.eclipse.ui.workbench-3.119.0.v20200521-1247.jar
(pkg:maven/osgi.bundle/org.eclipse.ui.workbench@3.119.0.v20200521-1247,
cpe:2.3:a:eclipse:eclipse_ide:3.119.0.v20200521:*:*:*:*:*:*:*) :
CVE-2008-7271
taglibs-standard-impl-1.2.5.jar
(pkg:maven/org.apache.taglibs/taglibs-standard-impl@1.2.5,
cpe:2.3:a:apache:standard_taglibs:1.2.5:*:*:*:*:*:*:*,
cpe:2.3:a:tag_project:tag:1.2.5:*:*:*:*:*:*:*) : CVE-2020-29242,
CVE-2020-29243, CVE-2020-29244, CVE-2020-29245
xmlbeans-2.6.0.jar (pkg:maven/org.apache.xmlbeans/xmlbeans@2.6.0,
cpe:2.3:a:apache:xmlbeans:2.6.0:*:*:*:*:*:*:*) : CVE-2021-23926

On Thu, 11 Mar 2021 at 13:16, Joseph (Jira) <j...@apache.org> wrote:

>
>     [
> https://issues.apache.org/jira/browse/AXIS2-5996?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17299553#comment-17299553
> ]
>
> Joseph commented on AXIS2-5996:
> -------------------------------
>
> Hi [~robertlazarski],
>
> Thank you for the information! We are locked into importing packages
> through maven unfortunately, any information on when this might be released?
>
> > Axis contains a vulnerable dependecy
> > ------------------------------------
> >
> >                 Key: AXIS2-5996
> >                 URL: https://issues.apache.org/jira/browse/AXIS2-5996
> >             Project: Axis2
> >          Issue Type: Bug
> >    Affects Versions: 1.7.9
> >            Reporter: Joseph
> >            Priority: Major
> >              Labels: security
> >
> > Axis 2 is dependent on Apache Client 4.5.3 which is vulnerable to
> CVE-2020-13956
>
>
>
> --
> This message was sent by Atlassian Jira
> (v8.3.4#803005)
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: java-dev-unsubscr...@axis.apache.org
> For additional commands, e-mail: java-dev-h...@axis.apache.org
>
>

-- 
Regards,

Andrew Marlow
http://www.andrewpetermarlow.co.uk

Reply via email to