Alejandro Moratinos created OAK-12203:
-----------------------------------------
Summary: Oak-auth-ldap uses vulnerable org.apache.mina.mina-core
Key: OAK-12203
URL: https://issues.apache.org/jira/browse/OAK-12203
Project: Jackrabbit Oak
Issue Type: Improvement
Components: security
Reporter: Alejandro Moratinos
Assignee: Alejandro Moratinos
Oak-auth-ldap artifact embeds mina-core 2.1.10 which contains the following
vulnerabilitie(s):
* *CVE-2026-41635* in version 2.1.10 (CVSS 9.8 Critical): Apache MINA's
AbstractIoBuffer.resolveClass() contains two branches, one of them (for static
classes or primitive types) does not check the class at all, bypassing the
classname allowlist and allowing arbitrary code to be executed. The fix checks
if the class is present in the accepted class filter before calling
Class.forName(). Affected versions are Apache MINA 2.0.0 <= 2.0.27, 2.1.0 <=
2.1.10, and 2.2.0 <= 2.2.5. The problem is resolved in Apache MINA 2.0.28,
2.1.11, and 2.2.6 by applying the classname allowlist earlier. Affected are
applications using Apache MINA that call IoBuffer.getObject(). Applications
using Apache MINA are advised to upgrade.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
