Closed koenigroland closed 10 months ago
I have a PR open that fixes it, see #369 / #389
Cannot say how critical this CVE is here, as in if the groovy classes touch any untrusted inputs, but I can tell you that it would get fixed with the PR granted it gets merged.
Done.
Please Update
to version 3.0.1 to avoid critical vulnerabilities in a transitive dependency to groovy.
CVE-2016-6814 CVE-2015-3253
Current version uses groovy [INFO] +- org.apache.maven.release:maven-release-manager:jar:2.5.3:compile [INFO] | +- org.apache.maven.release:maven-release-api:jar:2.5.3:compile [INFO] | | - org.eclipse.aether:aether-util:jar:1.0.0.v20140518:compile [INFO] | | - org.eclipse.aether:aether-api:jar:1.0.0.v20140518:compile [INFO] | +- org.sonatype.plexus:plexus-sec-dispatcher:jar:1.3:compile [INFO] | | - org.sonatype.plexus:plexus-cipher:jar:1.4:compile [INFO] | +- org.apache.maven:maven-artifact-manager:jar:2.2.1:compile [INFO] | | +- org.apache.maven.wagon:wagon-provider-api:jar:1.0-beta-6:compile [INFO] | | - backport-util-concurrent:backport-util-concurrent:jar:3.1:compile [INFO] | +- org.apache.maven:maven-project:jar:2.2.1:compile [INFO] | | +- org.apache.maven:maven-profile:jar:2.2.1:compile [INFO] | | - org.apache.maven:maven-plugin-registry:jar:2.2.1:compile [INFO] | +- org.apache.maven.shared:maven-invoker:jar:2.2:compile [INFO] | +- commons-lang:commons-lang:jar:2.4:compile [INFO] | +- commons-cli:commons-cli:jar:1.2:compile [INFO] | +- commons-io:commons-io:jar:2.2:compile [INFO] | +- org.apache.maven.scm:maven-scm-providers-standard:pom:1.9.4:runtime [INFO] | | +- org.apache.maven.scm:maven-scm-provider-accurev:jar:1.9.4:runtime [INFO] | | +- org.apache.maven.scm:maven-scm-provider-bazaar:jar:1.9.4:runtime [INFO] | | +- org.apache.maven.scm:maven-scm-provider-clearcase:jar:1.9.4:runtime [INFO] | | +- org.apache.maven.scm:maven-scm-provider-cvsexe:jar:1.9.4:runtime [INFO] | | | - org.apache.maven.scm:maven-scm-provider-cvs-commons:jar:1.9.4:runtime [INFO] | | +- org.apache.maven.scm:maven-scm-provider-cvsjava:jar:1.9.4:runtime [INFO] | | | +- org.netbeans.lib:cvsclient:jar:20060125:runtime [INFO] | | | - ch.ethz.ganymed:ganymed-ssh2:jar:build210:runtime [INFO] | | +- org.apache.maven.scm:maven-scm-provider-gitexe:jar:1.9.4:runtime [INFO] | | | - org.apache.maven.scm:maven-scm-provider-git-commons:jar:1.9.4:runtime [INFO] | | +- org.apache.maven.scm:maven-scm-provider-hg:jar:1.9.4:runtime [INFO] | | +- org.apache.maven.scm:maven-scm-provider-perforce:jar:1.9.4:runtime [INFO] | | +- org.apache.maven.scm:maven-scm-provider-starteam:jar:1.9.4:runtime [INFO] | | +- org.apache.maven.scm:maven-scm-provider-svnexe:jar:1.9.4:runtime [INFO] | | +- org.apache.maven.scm:maven-scm-provider-synergy:jar:1.9.4:runtime [INFO] | | +- org.apache.maven.scm:maven-scm-provider-vss:jar:1.9.4:runtime [INFO] | | +- org.apache.maven.scm:maven-scm-provider-tfs:jar:1.9.4:runtime [INFO] | | +- org.apache.maven.scm:maven-scm-provider-integrity:jar:1.9.4:runtime [INFO] | | | +- com.mks.api:mksapi-jar:jar:4.10.9049:runtime [INFO] | | | - org.codehaus.groovy:groovy-all:jar:1.7.6:runtime
new version avoids it [INFO] +- org.apache.maven.release:maven-release-manager:jar:3.0.1:compile [INFO] | +- org.apache.maven.release:maven-release-api:jar:3.0.1:compile [INFO] | | - org.eclipse.aether:aether-util:jar:1.0.0.v20140518:compile [INFO] | +- org.codehaus.plexus:plexus-sec-dispatcher:jar:2.0:compile [INFO] | +- org.codehaus.plexus:plexus-cipher:jar:2.0:compile [INFO] | +- org.apache.maven.shared:maven-invoker:jar:3.2.0:compile [INFO] | +- org.eclipse.aether:aether-api:jar:1.0.0.v20140518:compile [INFO] | +- org.apache.maven.scm:maven-scm-providers-standard:pom:2.0.0:runtime [INFO] | | +- org.apache.maven.scm:maven-scm-provider-gitexe:jar:2.0.0:runtime [INFO] | | | - org.apache.maven.scm:maven-scm-provider-git-commons:jar:2.0.0:runtime [INFO] | | +- org.apache.maven.scm:maven-scm-provider-jgit:jar:2.0.0:runtime [INFO] | | | +- org.eclipse.jgit:org.eclipse.jgit:jar:5.13.1.202206130422-r:runtime [INFO] | | | | - com.googlecode.javaewah:JavaEWAH:jar:1.1.13:runtime [INFO] | | | +- org.eclipse.jgit:org.eclipse.jgit.ssh.apache:jar:5.13.1.202206130422-r:runtime [INFO] | | | | +- org.apache.sshd:sshd-osgi:jar:2.7.0:runtime [INFO] | | | | +- org.apache.sshd:sshd-sftp:jar:2.7.0:runtime [INFO] | | | | | - org.apache.sshd:sshd-core:jar:2.7.0:runtime [INFO] | | | | | - org.apache.sshd:sshd-common:jar:2.7.0:runtime [INFO] | | | | - net.i2p.crypto:eddsa:jar:0.3.0:runtime [INFO] | | | - org.slf4j:jcl-over-slf4j:jar:1.7.36:runtime [INFO] | | +- org.apache.maven.scm:maven-scm-provider-hg:jar:2.0.0:runtime [INFO] | | - org.apache.maven.scm:maven-scm-provider-svnexe:jar:2.0.0:runtime [INFO] | +- org.apache.maven.scm:maven-scm-manager-plexus:jar:2.0.0:runtime [INFO] | +- org.apache.maven.scm:maven-scm-api:jar:2.0.0:compile [INFO] | +- org.apache.maven.scm:maven-scm-provider-svn-commons:jar:2.0.0:compile [INFO] | - org.jdom:jdom2:jar:2.0.6.1:compile