search

devhub-tud / devhub

DevHub is a software system designed to give students a simple practical introduction into modern software development.
15 stars 8 forks source link

Several dependencies have known vulnerabilities #429

Open TimvdLippe opened 7 years ago

TimvdLippe commented 7 years ago

Using the newly integrated dependency-checker, there are several packages vulnerable to exploits:

One or more dependencies were identified with known vulnerabilities in devhub:

jackson-datatype-guava-2.6.3.jar (com.fasterxml.jackson.datatype:jackson-datatype-guava:2.6.3, cpe:/a:fasterxml:jackson:2.6.3) : CVE-2016-3720
jackson-jaxrs-base-2.4.4.jar (com.fasterxml.jackson.jaxrs:jackson-jaxrs-base:2.4.4, cpe:/a:fasterxml:jackson:2.4.4) : CVE-2016-3720
jackson-jaxrs-json-provider-2.4.1.jar (com.fasterxml.jackson.jaxrs:jackson-jaxrs-json-provider:2.4.1, cpe:/a:fasterxml:jackson:2.4.1) : CVE-2016-3720
api-ldap-client-all-1.0.0-M26.jar/META-INF/maven/commons-collections/commons-collections/pom.xml (commons-collections:commons-collections:3.2.1, cpe:/a:apache:commons_collections:3.2.1) : CVE-2015-6420

See the dependency-check report for more details.
jwgmeligmeyling commented 7 years ago

The first three vulnerabilities are false as far as I know, only fasterxml/jackson-xml was affected, not the other jackson components. CVE-2015-6420 for commons-collections exists but is not exploitable. Just bumping the versions removes these warnings.