d-maldonado
commented
8 years ago gmlewis,
We made this change in our other POMs but seemed to have missed this one. Thank you for bringing this our attention.
Daniel Maldonado
Closed gmlewis closed 8 years ago
d-maldonado
commented
8 years ago gmlewis,
We made this change in our other POMs but seemed to have missed this one. Thank you for bringing this our attention.
Daniel Maldonado
Version 3.2.1 has a CVSS 10.0 vulnerability. That is the worst kind of vulnerability that exists. By merely existing on the classpath, this library causes the Java serialization parser for the entire JVM process to go from being a state machine to a turing machine. A turing machine with an exec() function!
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8103 https://commons.apache.org/proper/commons-collections/security-reports.html http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/