hello, That ticket is closed. I've just done an owasp check on the latest github clone, what will become 1.8.0, and it reveals the following:
axis2-ant-plugin-1.8.0-SNAPSHOT.jar (pkg:maven/org.apache.axis2/axis2-ant-plugin@1.8.0-SNAPSHOT, cpe:2.3:a:apache:ant:1.8.0:*:*:*:*:*:*:*, cpe:2.3:a:apache:axis2:1.8.0:*:*:*:*:*:*:*) : CVE-2020-1945 axis2.war: taglibs-standard-impl-1.2.5.jar (pkg:maven/org.apache.taglibs/taglibs-standard-impl@1.2.5, cpe:2.3:a:apache:standard_taglibs:1.2.5:*:*:*:*:*:*:*, cpe:2.3:a:tag_project:tag:1.2.5:*:*:*:*:*:*:*) : CVE-2020-29242, CVE-2020-29243, CVE-2020-29244, CVE-2020-29245 axis2-xmlbeans-1.8.0-SNAPSHOT.jar (pkg:maven/org.apache.axis2/axis2-xmlbeans@1.8.0-SNAPSHOT, cpe:2.3:a:apache:axis2:1.8.0:*:*:*:*:*:*:*, cpe:2.3:a:apache:xmlbeans:1.8.0:*:*:*:*:*:*:*) : CVE-2021-23926 axis2-xmlbeans-codegen-1.8.0-SNAPSHOT.jar (pkg:maven/org.apache.axis2/axis2-xmlbeans-codegen@1.8.0-SNAPSHOT, cpe:2.3:a:apache:axis2:1.8.0:*:*:*:*:*:*:*, cpe:2.3:a:apache:xmlbeans:1.8.0:*:*:*:*:*:*:*) : CVE-2021-23926 commons-httpclient-3.1.jar (pkg:maven/commons-httpclient/commons-httpclient@3.1, cpe:2.3:a:apache:commons-httpclient:3.1:*:*:*:*:*:*:*, cpe:2.3:a:apache:httpclient:3.1:*:*:*:*:*:*:*) : CVE-2020-13956 failureaccess-1.0.1.jar (pkg:maven/com.google.guava/failureaccess@1.0.1, cpe:2.3:a:google:guava:1.0.1:*:*:*:*:*:*:*) : CVE-2020-8908 org.eclipse.ui.ide-3.17.100.v20200530-0835.jar (pkg:maven/osgi.bundle/org.eclipse.ui.ide@3.17.100.v20200530-0835, cpe:2.3:a:eclipse:eclipse_ide:3.17.100.v20200530.0835:*:*:*:*:*:*:*, cpe:2.3:a:eclipse:ide:3.17.100.v20200530.0835:*:*:*:*:*:*:*) : CVE-2008-7271 org.eclipse.ui.workbench-3.119.0.v20200521-1247.jar (pkg:maven/osgi.bundle/org.eclipse.ui.workbench@3.119.0.v20200521-1247, cpe:2.3:a:eclipse:eclipse_ide:3.119.0.v20200521:*:*:*:*:*:*:*) : CVE-2008-7271 taglibs-standard-impl-1.2.5.jar (pkg:maven/org.apache.taglibs/taglibs-standard-impl@1.2.5, cpe:2.3:a:apache:standard_taglibs:1.2.5:*:*:*:*:*:*:*, cpe:2.3:a:tag_project:tag:1.2.5:*:*:*:*:*:*:*) : CVE-2020-29242, CVE-2020-29243, CVE-2020-29244, CVE-2020-29245 xmlbeans-2.6.0.jar (pkg:maven/org.apache.xmlbeans/xmlbeans@2.6.0, cpe:2.3:a:apache:xmlbeans:2.6.0:*:*:*:*:*:*:*) : CVE-2021-23926 On Thu, 11 Mar 2021 at 13:16, Joseph (Jira) <j...@apache.org> wrote: > > [ > https://issues.apache.org/jira/browse/AXIS2-5996?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17299553#comment-17299553 > ] > > Joseph commented on AXIS2-5996: > ------------------------------- > > Hi [~robertlazarski], > > Thank you for the information! We are locked into importing packages > through maven unfortunately, any information on when this might be released? > > > Axis contains a vulnerable dependecy > > ------------------------------------ > > > > Key: AXIS2-5996 > > URL: https://issues.apache.org/jira/browse/AXIS2-5996 > > Project: Axis2 > > Issue Type: Bug > > Affects Versions: 1.7.9 > > Reporter: Joseph > > Priority: Major > > Labels: security > > > > Axis 2 is dependent on Apache Client 4.5.3 which is vulnerable to > CVE-2020-13956 > > > > -- > This message was sent by Atlassian Jira > (v8.3.4#803005) > > --------------------------------------------------------------------- > To unsubscribe, e-mail: java-dev-unsubscr...@axis.apache.org > For additional commands, e-mail: java-dev-h...@axis.apache.org > > -- Regards, Andrew Marlow http://www.andrewpetermarlow.co.uk