Rémi Kowalski created JAMES-3223:
------------------------------------
Summary: Bump guava and bean-utils to fix vulnerability
Key: JAMES-3223
URL: https://issues.apache.org/jira/browse/JAMES-3223
Project: James Server
Issue Type: Bug
Affects Versions: 3.5.0
Reporter: Rémi Kowalski
h5. [CVE-2018-10237|https://github.com/advisories/GHSA-mvr2-9pj6-7w5j]
moderate severity
*Vulnerable versions:* > 11.0, < 24.1.1
*Patched version:* 24.1.1
Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1
allows remote attackers to conduct denial of service attacks against servers
that depend on this library and deserialize attacker-provided data, because the
AtomicDoubleArray class (when serialized with Java serialization) and the
CompoundOrdering class (when serialized with GWT serialization) perform eager
allocation without appropriate checks on what a client has sent and whether the
data size is reasonable.
h5. [CVE-2019-10086|https://github.com/advisories/GHSA-6phf-73q6-gh87]
high severity
*Vulnerable versions:* < 1.9.4
*Patched version:* 1.9.4
In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added
which allows suppressing the ability for an attacker to access the classloader
via the class property available on all Java objects. We, however were not
using this by default characteristic of the PropertyUtilsBean.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
