CVE: 2015-2944 found in Apache Sling API - Version: 2.0.2-incubator [JAVA]

[github-actions[bot]]

Veracode Software Composition Analysis

Attribute	Details
Library	Apache Sling API
Description	The Apache Sling API defines an extension to the Servlet API 2.4 to provide access to content and unified access to request parameters hiding the differences between the different methods of transferr
Language	JAVA
Vulnerability	Multiple Cross-site Scripting (XSS) Vulnerabilities
Vulnerability description	Multiple cross-site scripting (XSS) vulnerabilities in Apache Sling API before 2.2.2 and Apache Sling Servlets Post before 2.1.2 allow remote attackers to inject arbitrary web script or HTML via the URI, related to (1) org/apache/sling/api/servlets/HtmlResponse and (2) org/apache/sling/servlets/post/HtmlResponse.
CVE	2015-2944
CVSS score	4.3
Vulnerability present in version/s	0.0-2.2.1
Found library version/s	2.0.2-incubator
Vulnerability fixed in version	2.2.2
Library latest version	2.27.0
Fix

Links:

• https://sca.analysiscenter.veracode.com/vulnerability-database/libraries/817?version=2.0.2-incubator
• https://sca.analysiscenter.veracode.com/vulnerability-database/vulnerabilities/1655
• Patch: https://github.com/apache/sling/commit/89e0555c75da9bda3007dadc08521dc0cbc90a0c

[github-actions[bot]]

Veracode issue link to PR: https://github.com/julz0815/test-action/pull/184