joniles / mpxj

Primary repository for MPXJ library
http://www.mpxj.org/
GNU Lesser General Public License v2.1
250 stars 104 forks source link

Vulnerability CVE-2024-47554⁠ in commons-io 2.11.0, fixed at 2.14.0 #767

Closed joe-sharp closed 3 weeks ago

joe-sharp commented 3 weeks ago

Hi Jon, hope you have been well!

Docker is flagging a vulnerability on containers using mpxj. CVE-2024-47554⁠ affects commons-io at version 2.11.0 and is fixed in 2.14.0. Happy to try and open a PR to address this if you don't have the time. Thanks!

joniles commented 3 weeks ago

Hello!

If you update to MPXJ >= 13.1.0, you'll be using POI 5.3.0 which brings in commons-io 2.16.1 which has the fix for the CVE you mention. I'd actually recommend the latest version of MPXJ (13.5.1) which fixes a separate CVE, so you should be warning free at that point.

joe-sharp commented 3 weeks ago

@joniles gotcha ok we will upgrade asap. We started working on it but I saw references to the old version searching your repository on GitHub so it looked unaddressed. Sorry for the noise!