[
https://issues.apache.org/jira/browse/JAMES-3033?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
René Cordier updated JAMES-3033:
--------------------------------
Description:
Due to an incomplete fix for
[CVE-2019-9658|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9658],
checkstyle is still vulnerable to XML External Entity (XXE) Processing, thus
ending up to this [CWE-611: Improper Restriction of XML External Entity
Reference|https://cwe.mitre.org/data/definitions/611.html]
It is not urgent to upgrade though
was:
Due to an incomplete fix for
[CVE-2019-9658|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9658],
checkstyle is still vulnerable to XML External Entity (XXE) Processing, thus
ending up to this [CWE-611: Improper Restriction of XML External Entity
Reference|https://cwe.mitre.org/data/definitions/611.html]
We need to fix it asap by upgrading it from version 8.23 to 8.29.
> Vulnerability found in dependency com.puppycrawl.tools:checkstyle
> -----------------------------------------------------------------
>
> Key: JAMES-3033
> URL: https://issues.apache.org/jira/browse/JAMES-3033
> Project: James Server
> Issue Type: Improvement
> Reporter: René Cordier
> Priority: Major
> Labels: security
>
> Due to an incomplete fix for
> [CVE-2019-9658|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9658],
> checkstyle is still vulnerable to XML External Entity (XXE) Processing, thus
> ending up to this [CWE-611: Improper Restriction of XML External Entity
> Reference|https://cwe.mitre.org/data/definitions/611.html]
> It is not urgent to upgrade though
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
