mccartney
commented
1 year ago Indeed that seems to be the reasonable way out.
Although this hasn't been said loud, it seems like 4.5.x branch of httpclient won't be getting upgraded to commons-coded 1.16 which has this vuln supposedly fixed as per https://issues.apache.org/jira/browse/HTTPCLIENT-2237?focusedCommentId=17612305&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-17612305
This is mostly for Java-version compatibility. Commons-codec seems to be catering for really old Java versions.
sumologic-java-http-core uses Apache HttpClient v4.5.13. Apache HttpClient has a dependency to commons-codec 1.11 which is vulnerable to CVE-2020-15250. I suggest updating to Apache HttpClient v5.2 to get more current and not vulnerable dependencies.