[
https://issues.apache.org/jira/browse/OAK-12203?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18080862#comment-18080862
]
Alejandro Moratinos commented on OAK-12203:
-------------------------------------------
Backported to 1.22 version
> Oak-auth-ldap uses vulnerable org.apache.mina.mina-core
> -------------------------------------------------------
>
> Key: OAK-12203
> URL: https://issues.apache.org/jira/browse/OAK-12203
> Project: Jackrabbit Oak
> Issue Type: Bug
> Components: security
> Reporter: Alejandro Moratinos
> Assignee: Alejandro Moratinos
> Priority: Major
> Fix For: 2.2.0, 1.22.25
>
>
> Oak-auth-ldap artifact embeds mina-core 2.1.10 which contains the following
> vulnerabilitie(s):
> * *CVE-2026-41635* in version 2.1.10 (CVSS 9.8 Critical): Apache MINA's
> AbstractIoBuffer.resolveClass() contains two branches, one of them (for
> static classes or primitive types) does not check the class at all, bypassing
> the classname allowlist and allowing arbitrary code to be executed. The fix
> checks if the class is present in the accepted class filter before calling
> Class.forName(). Affected versions are Apache MINA 2.0.0 <= 2.0.27, 2.1.0 <=
> 2.1.10, and 2.2.0 <= 2.2.5. The problem is resolved in Apache MINA 2.0.28,
> 2.1.11, and 2.2.6 by applying the classname allowlist earlier. Affected are
> applications using Apache MINA that call IoBuffer.getObject(). Applications
> using Apache MINA are advised to upgrade.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
