RE: apache-commons-fileupload symlink vulnerability CVE-2013-0248

Thu, 23 Jul 2015 05:42:48 -0700 

Mr Martin

upgrade to commons.fileupload.version 1.3 in both
modules/fastinfoset/pom.xml and
modules/parent/pom.xml 
will mitigate CVE-2013-0248


modules/fastinfoset/pom.xml:
<! -- fastinfoset dependency CVE-2013-0248 vulnerability averted by specifying 
version -->
 <dependency>
        <groupId>commons-fileupload</groupId>
       <artifactId>commons-fileupload</artifactId>
       <version>1.3</version> <!-- commons-fileupload versions 1.0 - 1.2.2 are 
subject to CVE-2013-0248 -->
        </dependency>
modules/parent/pom.xml:
 <!-- commons-fileupload versions 1.0 - 1.2.2 are subject to CVE-2013-0248 
upgrade to 1.3 to mitigate -->
        <!-- commons.fileupload.version>1.2</commons.fileupload.version -->
        <commons.fileupload.version>1.3</commons.fileupload.version>


Andreas please confirm

Thanks to Mr Martin for detecting this vulnerability
Martin --
______________________________________________ 
 _____ _          _____             _          _____     ___ _                  
      _____               _     _   _         
|_   _| |_ ___   |  _  |___ ___ ___| |_ ___   |   __|___|  _| |_ _ _ _ ___ ___ 
___   |   __|___ _ _ ___ _| |___| |_|_|___ ___ 
  | | |   | -_|  |     | . | .'|  _|   | -_|  |__   | . |  _|  _| | | | .'|  _| 
-_|  |   __| . | | |   | . | .'|  _| | . |   |
  |_| |_|_|___|  |__|__|  _|__,|___|_|_|___|  |_____|___|_| |_| |_____|__,|_| 
|___|  |__|  |___|___|_|_|___|__,|_| |_|___|_|_|
                       |_|                                                      
                                              


To: java-user@axis.apache.org
Subject: apache-commons-fileupload symlink vulnerability CVE-2013-0248
From: charlie.mar...@uk.ibm.com
Date: Thu, 23 Jul 2015 11:41:06 +0100

Hi,



The current (v1.6.3) and previous releases
of Axis2 contain the apache commons-fileupload-1.2.jar. 



This jar is flagged as being vulnerable
to CVE-2013-0248



Could anyone confirm if either:

This vulnerability is not applicable
to the use of the jar in Axis2
If an update is planned

Details of the vulnerability:
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0248



Many thanks,

Charlie Martin





WebSphere MQ Development

IBM Hursley Labs, Hursley Park, Winchester, Hants. SO21 2JN. UK.

Email: charlie.mar...@uk.ibm.com

Tel: +44 (0) 1962 815860, Internal: 37245860





Unless stated otherwise above:

IBM United Kingdom Limited - Registered in England and Wales with number
741598. 

Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6
3AU



Unless stated otherwise above:

IBM United Kingdom Limited - Registered in England and Wales with number
741598. 

Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6
3AU

Reply via email to