Ajay created AXIS2-6067:
---------------------------
Summary: CVE with dependency jars of axis2
Key: AXIS2-6067
URL: https://issues.apache.org/jira/browse/AXIS2-6067
Project: Axis2
Issue Type: Bug
Components: codegen, json, kernel
Affects Versions: 1.8.2
Reporter: Ajay
Per sonatype Repository SBOM Report, the following CVEs affect packages in the
current latest axis2 version 1.8.2 and should be patched ASAP:
Issue - CVE-2022-40152 -
Source
[INFO] org.apache.axis2:axis2-webapp:war:1.8.2
[INFO] +- org.apache.axis2:axis2-jibx:jar:1.8.2:compile
[INFO] | +- org.apache.axis2:axis2-kernel:jar:1.8.2:compile
[INFO] | | +- org.apache.ws.commons.axiom:axiom-impl:jar:1.4.0:runtime
[INFO] | | | \- com.fasterxml.woodstox:woodstox-core:jar:6.2.8:runtime
Issue - CVE-2023-3635
Source
[INFO] | +- org.apache.axis2:axis2-json:jar:1.8.2:compile
[INFO] | +- org.codehaus.jettison:jettison:jar:1.5.0:compile
[INFO] | +- org.owasp.encoder:encoder:jar:1.2.3:compile
[INFO] | +- com.google.code.gson:gson:jar:2.9.0:compile
[INFO] | +- com.squareup.moshi:moshi:jar:1.13.0:compile
[INFO] | | +- com.squareup.okio:okio:jar:2.10.0:compile
Issue - CVE-2023-2976
Source
[INFO] +- org.apache.axis2:axis2-codegen:jar:1.8.2:compile
[INFO] | +- com.google.googlejavaformat:google-java-format:jar:1.7:compile
[INFO] | | +- com.google.guava:guava:jar:31.1-jre:compile
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscr...@axis.apache.org
For additional commands, e-mail: java-dev-h...@axis.apache.org
