search

hivemq / mqtt-cli

MQTT CLI is a useful command line interface for connecting various MQTT clients supporting MQTT 5.0 and 3.1.1
https://hivemq.github.io/mqtt-cli/
Apache License 2.0
310 stars 47 forks source link

Use commons-text version 1.10.0 or later. This resolves CVE-2022-42889. #324

Closed mario-schwede-hivemq closed 1 year ago

mario-schwede-hivemq commented 1 year ago

Motivation

The MQTT CLI uses apache commons text version 1.9 and that contains the critical vulnerability CVE-2022-42889: https://nvd.nist.gov/vuln/detail/CVE-2022-42889

Apache commons text comes as transitive dependency from opencsv and the current version 5.7.0 still depends on the vulnerable version 1.9: https://mvnrepository.com/artifact/com.opencsv/opencsv/5.7.0

Changes

Force the common text dependency to version 1.10.0 or later. The version 1.10.0 contains the fix for the vulnerability.

https://hivemq.kanbanize.com/ctrl_board/22/cards/9679/details/