felipebn
commented
6 years ago Hi @alek-cf!
This transitive dependency is a dependency of a server provided library and it's not bundled in the final artifact, being so I understand that there is no change to be applied to the pom.xml as it would not reflect any change.
Please reopen this issue if if I still need to take any action regarding this.
after call graph analysis, this vulnerable method does not appear to be called, however best practice dictates updating to a save version.
This vulnerability is in a transitive dependency, it can be fixed by overriding and adding a new direct dependency of the library in your project.
Apache Commons FileUpload is vulnerable to remote code execution via serialization. In Apache Commons FileUpload, a DiskFileItem is used to handle file uploads. DiskFileItem is serializable and implements custom writeObject() and readObject() functions. An attacker is possible to modify the serialized data before it is deserialized, and write or copy files to disk in arbitrary locations. Furthermore, it's possible for an attacker to integrate this vulnerability with the ysoserial tool to upload and execute binaries in a single deserialization call.
This issue was fixed in version 1.3.3 of Apache Commons FileUpload. That version is currently considered safe, we suggest that you upgrade to the fixed version.
pom.xml
Dependency graph:
com.atlassian.bitbucket.server bitbucket-page-objects 5.8.0 com.atlassian.bitbucket.server bitbucket-it-common 5.8.0 com.atlassian.plugins.rest atlassian-rest-common 3.4.10 com.atlassian.plugins.rest com.atlassian.jersey-library 3.4.10 commons-fileupload commons-fileupload 1.3.2