search

Adobe-Consulting-Services / acs-aem-commons

http://adobe-consulting-services.github.io/acs-aem-commons/
Apache License 2.0
453 stars 600 forks source link

[ACS AEM Common 6.3.8] Vulnerabilities Regarding Logback and Nekohtml. #3346

Open glo10847 opened 5 months ago

glo10847 commented 5 months ago

Required Information

Expected Behavior

No vulnerabilities regarding logback and nekohtml

Actual Behavior

Vulnerabilities found related to Logback and nekohtml in ACS AEM Commons 6.3.8

Steps to Reproduce

Customer reported vulnerabilities regarding Logback and Nekohtml. They are using AEM ACS Common OOTB Bundles. Customer ran the scan using SYNK tool. Adobe ACS AEM Commons uses logback version 1.2.3. But as per snyk vulnerability dashboard it should upgraded to 1.2.13 or higher version due to which we are seeing above mentioned snyk vulnerabilities in the synk dashboard.

image (5) image (4) image (3)

Refer the attached Doc for more.

For vulnerabilities regarding Nekohtml , please refer the attached document. Snyk Issues (3).docx

synk issues from acs-commons.docx

ravrockss commented 4 months ago

The vulnerability mentioned with logback package is still present in ACS Commons bundle 6.6.0 One pseudo fix is to exclude logback package from the codebase where acs-aem-commons-bundle is being included as a dependency.