Upgrade org.jasig.cas.client:cas-client-core

jooby-project / jooby

The modular web framework for Java and Kotlin

https://jooby.io

Apache License 2.0

1.71k stars 197 forks source link

Upgrade org.jasig.cas.client:cas-client-core #1141

Closed feffi closed 4 years ago

feffi commented 6 years ago

✗ High severity vulnerability found on org.jasig.cas.client:cas-client-core@3.4.1

info: XML External Entity (XXE) Injection

feffi commented 6 years ago

Fix/mitigation is dependent on https://github.com/apereo/java-cas-client/issues/191

feffi commented 6 years ago

for a parent list, have a look at: https://github.com/jooby-project/jooby/issues/1129

jknack commented 6 years ago

Same here a transitive dependency from pac4j:

[INFO] +- org.pac4j:pac4j-cas:jar:2.2.1:compile
[INFO] |  +- org.jasig.cas.client:cas-client-core:jar:3.4.1:compile
[INFO] |  \- org.jasig.cas.client:cas-client-support-saml:jar:3.4.1:compile

jknack commented 4 years ago

dependencies are automatically updated with dependabot now