Geolykt
commented
1 year ago While of course referencing CVEs sounds like a super serious issue, this is not a vault bug nor a serious issue in the realm of Vault. Report this to IJ instead - dependencies with the test scope (which is the case for junit, see https://github.com/MilkBowl/VaultAPI/blob/master/pom.xml#L70-L71) are irrelevant to you as an API consumer. (Hell, it's even an optional dependency!)
Technically this issue could be resolved in a future version of vault, but there is little reason to update vault just for this CVE that probably doesn't affect vault in the first place as that dependency is not used at all (at least at first glance). If anyone wants to fix this issue regardless, the dependency should be dropped.
<dependency><groupId>com.github.MilkBowl</groupId><artifactId>VaultAPI</artifactId><version>1.7</version><scope>provided</scope></dependency>I used this dependency from the README.md given in the github repo. And Intellij gave me the following vulnerability, 'Provides transitive vulnerable dependency maven:junit:junit:4.10 CVE-2020-15250 5.5 Incorrect Permission Assignment for Critical Resource vulnerability pending CVSS allocation Results powered by Checkmarx(c)'