Open glo10847 opened 5 months ago
The vulnerability mentioned with logback package is still present in ACS Commons bundle 6.6.0 One pseudo fix is to exclude logback package from the codebase where acs-aem-commons-bundle is being included as a dependency.
Required Information
Expected Behavior
No vulnerabilities regarding logback and nekohtml
Actual Behavior
Vulnerabilities found related to Logback and nekohtml in ACS AEM Commons 6.3.8
Steps to Reproduce
Customer reported vulnerabilities regarding Logback and Nekohtml. They are using AEM ACS Common OOTB Bundles. Customer ran the scan using SYNK tool. Adobe ACS AEM Commons uses logback version 1.2.3. But as per snyk vulnerability dashboard it should upgraded to 1.2.13 or higher version due to which we are seeing above mentioned snyk vulnerabilities in the synk dashboard.
Refer the attached Doc for more.
For vulnerabilities regarding Nekohtml , please refer the attached document. Snyk Issues (3).docx
synk issues from acs-commons.docx