christopherseeley
commented
2 years ago Thanks for raising this. CVE-2019-0227 impacts servers using apache-axis. This project uses apache-axis for clients. We also distribute a library that uses JAX-WS instead of Apache Axis if you prefer. It was originally developed for AppEngine but works in all environments:
<dependency>
<groupId>com.google.api-ads</groupId>
<artifactId>dfp-appengine</artifactId>
<version>RELEASE</version>
</dependency>
apache-axis(1.4) has a high cve: https://cve.report/CVE-2019-0227 and is end of life( will not be patched in later versions).
It seems it has been deprecated in favor axis-2. It seems it's not a straigtforward migration ( cannot simply substitute one dependency for another, as there were package name changes, and etc): https://axis.apache.org/axis2/java/core/docs/migration.html