[
https://issues.apache.org/jira/browse/AXIS2-6067?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Robert Lazarski updated AXIS2-6067:
-----------------------------------
Fix Version/s: 2.0.0
> CVE with dependency jars of axis2
> ---------------------------------
>
> Key: AXIS2-6067
> URL: https://issues.apache.org/jira/browse/AXIS2-6067
> Project: Axis2
> Issue Type: Bug
> Components: codegen, json, kernel
> Affects Versions: 1.8.2
> Reporter: Ajay
> Priority: Critical
> Fix For: 2.0.0
>
>
> Per sonatype Repository SBOM Report, the following CVEs affect packages in
> the current latest axis2 version 1.8.2 and should be patched ASAP:
>
> Issue - CVE-2022-40152 -
>
> Source
> [INFO] org.apache.axis2:axis2-webapp:war:1.8.2
> [INFO] +- org.apache.axis2:axis2-jibx:jar:1.8.2:compile
> [INFO] | +- org.apache.axis2:axis2-kernel:jar:1.8.2:compile
> [INFO] | | +- org.apache.ws.commons.axiom:axiom-impl:jar:1.4.0:runtime
> [INFO] | | | \- com.fasterxml.woodstox:woodstox-core:jar:6.2.8:runtime
>
>
> Issue - CVE-2023-3635
>
> Source
> [INFO] | +- org.apache.axis2:axis2-json:jar:1.8.2:compile
> [INFO] | +- org.codehaus.jettison:jettison:jar:1.5.0:compile
> [INFO] | +- org.owasp.encoder:encoder:jar:1.2.3:compile
> [INFO] | +- com.google.code.gson:gson:jar:2.9.0:compile
> [INFO] | +- com.squareup.moshi:moshi:jar:1.13.0:compile
> [INFO] | | +- com.squareup.okio:okio:jar:2.10.0:compile
>
> Issue - CVE-2023-2976
>
> Source
> [INFO] +- org.apache.axis2:axis2-codegen:jar:1.8.2:compile
> [INFO] | +- com.google.googlejavaformat:google-java-format:jar:1.7:compile
> [INFO] | | +- com.google.guava:guava:jar:31.1-jre:compile
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscr...@axis.apache.org
For additional commands, e-mail: java-dev-h...@axis.apache.org
